{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24045", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-20T22:30:11.777Z", "datePublished": "2026-02-10T16:56:37.966Z", "dateUpdated": "2026-04-14T21:36:07.934Z"}, "containers": {"cna": {"title": "Docmost Affected by Stored XSS in Public Share Page", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/docmost/docmost/security/advisories/GHSA-h7fp-4f37-29wq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/docmost/docmost/security/advisories/GHSA-h7fp-4f37-29wq"}, {"name": "https://github.com/docmost/docmost/commit/f3f74c591f32f85b8aa9a98ed884a7dd455780f9", "tags": ["x_refsource_MISC"], "url": "https://github.com/docmost/docmost/commit/f3f74c591f32f85b8aa9a98ed884a7dd455780f9"}, {"name": "https://github.com/docmost/docmost/releases/tag/v0.25.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/docmost/docmost/releases/tag/v0.25.0"}], "affected": [{"vendor": "docmost", "product": "docmost", "versions": [{"version": ">= 0.20.0, < 0.25.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-14T21:36:07.934Z"}, "descriptions": [{"lang": "en", "value": "Docmost is open-source collaborative wiki and documentation software. From 0.20.0 and before 0.25.0, the public share page functionality in Docmost does not properly HTML-escape page titles before inserting them into meta tags and the title tag. This allows Stored Cross-Site Scripting (XSS) attacks, where an attacker can execute arbitrary JavaScript in the context of any user who opens a shared page link. This vulnerability is fixed in 0.25.0."}], "source": {"advisory": "GHSA-h7fp-4f37-29wq", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/docmost/docmost/security/advisories/GHSA-h7fp-4f37-29wq", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-10T18:55:53.971510Z", "id": "CVE-2026-24045", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T18:55:58.562Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24045", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-10T18:55:53.971510Z"}}}], "references": [{"url": "https://github.com/docmost/docmost/security/advisories/GHSA-h7fp-4f37-29wq", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T18:55:43.829Z"}}], "cna": {"title": "Docmost Affected by Stored XSS in Public Share Page", "source": {"advisory": "GHSA-h7fp-4f37-29wq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "docmost", "product": "docmost", "versions": [{"status": "affected", "version": ">= 0.20.0, < 0.25.0"}]}], "references": [{"url": "https://github.com/docmost/docmost/security/advisories/GHSA-h7fp-4f37-29wq", "name": "https://github.com/docmost/docmost/security/advisories/GHSA-h7fp-4f37-29wq", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/docmost/docmost/commit/f3f74c591f32f85b8aa9a98ed884a7dd455780f9", "name": "https://github.com/docmost/docmost/commit/f3f74c591f32f85b8aa9a98ed884a7dd455780f9", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/docmost/docmost/releases/tag/v0.25.0", "name": "https://github.com/docmost/docmost/releases/tag/v0.25.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Docmost is open-source collaborative wiki and documentation software. From 0.20.0 and before 0.25.0, the public share page functionality in Docmost does not properly HTML-escape page titles before inserting them into meta tags and the title tag. This allows Stored Cross-Site Scripting (XSS) attacks, where an attacker can execute arbitrary JavaScript in the context of any user who opens a shared page link. This vulnerability is fixed in 0.25.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-14T21:36:07.934Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24045", "state": "PUBLISHED", "dateUpdated": "2026-04-14T21:36:07.934Z", "dateReserved": "2026-01-20T22:30:11.777Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-10T16:56:37.966Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:docmost:docmost:*:*:*:*:*:*:*:*", "matchCriteriaId": "D7D600BF-E5D3-41E6-9139-FCD949011063", "versionEndExcluding": "0.25.0", "versionStartIncluding": "0.20.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Docmost is open-source collaborative wiki and documentation software. From 0.20.0 and before 0.25.0, the public share page functionality in Docmost does not properly HTML-escape page titles before inserting them into meta tags and the title tag. This allows Stored Cross-Site Scripting (XSS) attacks, where an attacker can execute arbitrary JavaScript in the context of any user who opens a shared page link. This vulnerability is fixed in 0.25.0."}, {"lang": "es", "value": "Docmost es un software de wiki y documentaci\u00f3n colaborativo de c\u00f3digo abierto. Desde g y antes de 0.25.0, la funcionalidad de p\u00e1gina compartida p\u00fablica en Docmost no escapa correctamente los t\u00edtulos de p\u00e1gina HTML antes de insertarlos en las metaetiquetas y la etiqueta de t\u00edtulo. Esto permite ataques de cross-site scripting (XSS) almacenado, donde un atacante puede ejecutar JavaScript arbitrario en el contexto de cualquier usuario que abra un enlace de p\u00e1gina compartida. Esta vulnerabilidad est\u00e1 corregida en 0.25.0."}], "id": "CVE-2026-24045", "lastModified": "2026-04-14T22:16:29.083", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-10T18:16:36.500", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/docmost/docmost/commit/f3f74c591f32f85b8aa9a98ed884a7dd455780f9"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/docmost/docmost/releases/tag/v0.25.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/docmost/docmost/security/advisories/GHSA-h7fp-4f37-29wq"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/docmost/docmost/security/advisories/GHSA-h7fp-4f37-29wq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.20.0,0.25.0)"}}], "product": "docmost", "vendor": "docmost"}], "analysis": {"en": {"generated_at": "2026-04-15T15:14:19.543929+00:00", "value": {"mitigation_remediation": ["Upgrade to Docmost version 0.25.0 or later to receive the security fix. ", "If an immediate upgrade is not possible, implement server\u2011side escaping for page titles before inserting them into meta and title tags to neutralize injected script payloads. ", "Audit existing shared page titles for suspicious content, revoke or regenerate problematic share links, and monitor access logs for attempts to load or use malicious shared pages."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Docmost versions 0.20.0 up to, but not including, 0.25.0. Earlier releases are unaffected, and any deployment running 0.25.0 or newer has the fix in place. It is a single product\u2014Docmost\u2014distributed under the open\u2011source license.", "description_and_impact": "Docmost, an open\u2011source wiki, contains a stored cross\u2011site scripting flaw in its public share page function. Page titles are inserted into meta and title tags without proper HTML escaping. An attacker who creates or modifies a shared page can embed malicious JavaScript in the title, which will execute in the browser of any user who later opens that link. The vulnerable code allows arbitrary code execution in the context of legitimately logged\u2011in or anonymous users, exposing all data that the browser can access.", "risk_and_exploitability": "With a CVSS score of 7.3, the flaw is considered a high\u2011severity risk. The EPSS score is below 1\u202f%, indicating a very low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. However, because the attack vector is remote and the flaw is stored, an attacker can embed a malicious title in a share link that anyone with access to that link can trigger, leading to potential data theft or session hijacking. The risk is moderate to high depending on user exposure to public share links."}}}}, "created": "2026-02-10T21:42:00.391075+00:00", "updated": "2026-04-15T17:45:10.847773+00:00", "vendors": ["docmost", "docmost$PRODUCT$docmost"]}