CVE-2026-24045 Overview
CVE-2026-24045 is a Stored Cross-Site Scripting (XSS) vulnerability affecting Docmost, an open-source collaborative wiki and documentation software. The vulnerability exists in the public share page functionality, which fails to properly HTML-escape page titles before inserting them into meta tags and the title tag. This allows attackers to execute arbitrary JavaScript in the context of any user who opens a shared page link.
Critical Impact
Attackers can execute arbitrary JavaScript code in victims' browsers when they access shared page links, potentially leading to session hijacking, credential theft, and unauthorized actions performed on behalf of authenticated users.
Affected Products
- Docmost versions prior to 0.25.0
- Docmost public share page functionality
- Self-hosted Docmost deployments with sharing features enabled
Discovery Timeline
- 2026-02-10 - CVE CVE-2026-24045 published to NVD
- 2026-02-10 - Last updated in NVD database
Technical Details for CVE-2026-24045
Vulnerability Analysis
The vulnerability stems from improper output encoding in Docmost's share page rendering mechanism. When a page is shared publicly, Docmost generates an HTML response that includes the page title in both the <title> tag and various SEO-related <meta> tags. The application fails to sanitize or escape user-controlled page titles before embedding them into this HTML context.
This creates a Stored XSS condition where malicious JavaScript payloads embedded in page titles persist in the database and execute whenever any user accesses the shared page link. The attack requires low privileges (an authenticated user who can create or modify page titles) and requires user interaction (the victim must visit the malicious shared link).
The impact is significant as it affects both the confidentiality and integrity of user sessions. Attackers can steal session cookies, perform actions on behalf of victims, redirect users to phishing pages, or inject malicious content into the application interface.
Root Cause
The root cause is missing HTML entity encoding when rendering page titles in the server-side share page controller. Specifically, the share-seo.controller.ts file directly interpolates page titles into HTML output without passing them through an HTML escape function. Characters such as <, >, ", ', and & are not converted to their corresponding HTML entities, allowing attackers to break out of the intended tag context and inject arbitrary HTML/JavaScript.
Attack Vector
The attack is network-based and follows this pattern:
- An authenticated attacker creates or modifies a Docmost page with a malicious title containing JavaScript payload (e.g., <script>alert(document.cookie)</script>)
- The attacker generates a public share link for this page
- The attacker distributes the share link to potential victims via email, messaging, or other channels
- When victims access the shared link, the malicious page title is rendered without escaping
- The injected JavaScript executes in the victim's browser context with full access to the Docmost application
// Security patch adding HTML escaping functionality
// Source: https://github.com/docmost/docmost/commit/f3f74c591f32f85b8aa9a98ed884a7dd455780f9
// apps/server/src/common/helpers/html-escaper.ts
// https://github.com/WebReflection/html-escaper
/**
* Copyright (C) 2017-present by Andrea Giammarchi - @WebReflection
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*/
const { replace } = '';
// escape
const es = /&(?:amp|#38|lt|#60|gt|#62|apos|#39|quot|#34);/g;
const ca = /[&<>'"]/g;
const esca = {
// ... escape mapping implementation
};
The fix introduces a dedicated htmlEscape function and applies it to page titles in the share controller:
// apps/server/src/core/share/share-seo.controller.ts
import { WorkspaceRepo } from '@docmost/db/repos/workspace/workspace.repo';
import { EnvironmentService } from '../../integrations/environment/environment.service';
import { Workspace } from '@docmost/db/types/entity.types';
+import { htmlEscape } from '../../common/helpers/html-escaper';
@Controller('share')
export class ShareSeoController {
// ... page title is now passed through htmlEscape() before rendering
}
Source: GitHub Commit Update
Detection Methods for CVE-2026-24045
Indicators of Compromise
- Page titles containing HTML tags or JavaScript code patterns such as <script>, <img onerror=, or javascript: URI schemes
- Unusual characters in page titles including angle brackets (<>), quotes, or encoded sequences
- Web application firewall logs showing XSS payload patterns in requests to share endpoints
- User reports of unexpected browser behavior when accessing shared Docmost links
Detection Strategies
- Implement Content Security Policy (CSP) headers to restrict inline script execution and report violations
- Monitor web server access logs for requests to /share/ endpoints with suspicious query parameters or referrers
- Deploy web application firewall rules to detect common XSS payload patterns in HTTP traffic
- Audit database records for page titles containing potentially malicious HTML or JavaScript content
Monitoring Recommendations
- Enable CSP reporting to collect data on blocked script executions that may indicate exploitation attempts
- Configure SIEM alerting for patterns indicative of XSS attacks targeting documentation platforms
- Monitor for anomalous user session behavior following access to shared page links
- Review application logs for errors related to malformed page titles or rendering issues
How to Mitigate CVE-2026-24045
Immediate Actions Required
- Upgrade Docmost to version 0.25.0 or later immediately
- Audit existing page titles for potentially malicious content and sanitize any suspicious entries
- Temporarily disable public page sharing functionality if immediate upgrade is not possible
- Implement Content Security Policy headers to reduce XSS impact while patching is underway
Patch Information
The vulnerability is fixed in Docmost version 0.25.0. The patch introduces proper HTML escaping for page titles using the htmlEscape helper function from the html-escaper library. The fix is applied in the share-seo.controller.ts file, ensuring all user-controlled content is properly encoded before being inserted into HTML context.
- GitHub Release v0.25.0 - Official release containing the security fix
- GitHub Security Advisory GHSA-h7fp-4f37-29wq - Detailed security advisory
- GitHub Commit Update - Commit f3f74c591f32f85b8aa9a98ed884a7dd455780f9 containing the fix
Workarounds
- Disable public page sharing functionality at the application or reverse proxy level until patching is complete
- Implement a reverse proxy rule to strip or block requests containing common XSS payload patterns in share URLs
- Deploy a Web Application Firewall (WAF) with XSS protection rules in front of Docmost instances
- Restrict page creation and modification permissions to trusted users only
# Example: Nginx configuration to add Content Security Policy header
# Add to your Docmost server block configuration
server {
# ... existing configuration ...
# Add Content Security Policy to mitigate XSS impact
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self';" always;
# Optional: Block requests with common XSS patterns in share endpoint
location /share/ {
if ($request_uri ~* "(<script|javascript:|onerror=|onload=)") {
return 403;
}
proxy_pass http://docmost_backend;
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
