Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-24045

CVE-2026-24045: Docmost Stored XSS Vulnerability

CVE-2026-24045 is a stored XSS vulnerability in Docmost collaborative wiki software that allows attackers to execute arbitrary JavaScript via malicious page titles. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-24045 Overview

CVE-2026-24045 is a Stored Cross-Site Scripting (XSS) vulnerability affecting Docmost, an open-source collaborative wiki and documentation software. The vulnerability exists in the public share page functionality, which fails to properly HTML-escape page titles before inserting them into meta tags and the title tag. This allows attackers to execute arbitrary JavaScript in the context of any user who opens a shared page link.

Critical Impact

Attackers can execute arbitrary JavaScript code in victims' browsers when they access shared page links, potentially leading to session hijacking, credential theft, and unauthorized actions performed on behalf of authenticated users.

Affected Products

  • Docmost versions prior to 0.25.0
  • Docmost public share page functionality
  • Self-hosted Docmost deployments with sharing features enabled

Discovery Timeline

  • 2026-02-10 - CVE CVE-2026-24045 published to NVD
  • 2026-02-10 - Last updated in NVD database

Technical Details for CVE-2026-24045

Vulnerability Analysis

The vulnerability stems from improper output encoding in Docmost's share page rendering mechanism. When a page is shared publicly, Docmost generates an HTML response that includes the page title in both the <title> tag and various SEO-related <meta> tags. The application fails to sanitize or escape user-controlled page titles before embedding them into this HTML context.

This creates a Stored XSS condition where malicious JavaScript payloads embedded in page titles persist in the database and execute whenever any user accesses the shared page link. The attack requires low privileges (an authenticated user who can create or modify page titles) and requires user interaction (the victim must visit the malicious shared link).

The impact is significant as it affects both the confidentiality and integrity of user sessions. Attackers can steal session cookies, perform actions on behalf of victims, redirect users to phishing pages, or inject malicious content into the application interface.

Root Cause

The root cause is missing HTML entity encoding when rendering page titles in the server-side share page controller. Specifically, the share-seo.controller.ts file directly interpolates page titles into HTML output without passing them through an HTML escape function. Characters such as <, >, ", ', and & are not converted to their corresponding HTML entities, allowing attackers to break out of the intended tag context and inject arbitrary HTML/JavaScript.

Attack Vector

The attack is network-based and follows this pattern:

  1. An authenticated attacker creates or modifies a Docmost page with a malicious title containing JavaScript payload (e.g., <script>alert(document.cookie)</script>)
  2. The attacker generates a public share link for this page
  3. The attacker distributes the share link to potential victims via email, messaging, or other channels
  4. When victims access the shared link, the malicious page title is rendered without escaping
  5. The injected JavaScript executes in the victim's browser context with full access to the Docmost application
typescript
// Security patch adding HTML escaping functionality
// Source: https://github.com/docmost/docmost/commit/f3f74c591f32f85b8aa9a98ed884a7dd455780f9

// apps/server/src/common/helpers/html-escaper.ts
// https://github.com/WebReflection/html-escaper
/**
 * Copyright (C) 2017-present by Andrea Giammarchi - @WebReflection
 *
 * Permission is hereby granted, free of charge, to any person obtaining a copy
 * of this software and associated documentation files (the "Software"), to deal
 * in the Software without restriction, including without limitation the rights
 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 * copies of the Software, and to permit persons to whom the Software is
 * furnished to do so, subject to the following conditions:
 *
 * The above copyright notice and this permission notice shall be included in
 * all copies or substantial portions of the Software.
 */

const { replace } = '';

// escape
const es = /&(?:amp|#38|lt|#60|gt|#62|apos|#39|quot|#34);/g;
const ca = /[&<>'"]/g;

const esca = {
  // ... escape mapping implementation
};

The fix introduces a dedicated htmlEscape function and applies it to page titles in the share controller:

typescript
// apps/server/src/core/share/share-seo.controller.ts
import { WorkspaceRepo } from '@docmost/db/repos/workspace/workspace.repo';
import { EnvironmentService } from '../../integrations/environment/environment.service';
import { Workspace } from '@docmost/db/types/entity.types';
+import { htmlEscape } from '../../common/helpers/html-escaper';

@Controller('share')
export class ShareSeoController {
  // ... page title is now passed through htmlEscape() before rendering
}

Source: GitHub Commit Update

Detection Methods for CVE-2026-24045

Indicators of Compromise

  • Page titles containing HTML tags or JavaScript code patterns such as <script>, <img onerror=, or javascript: URI schemes
  • Unusual characters in page titles including angle brackets (<>), quotes, or encoded sequences
  • Web application firewall logs showing XSS payload patterns in requests to share endpoints
  • User reports of unexpected browser behavior when accessing shared Docmost links

Detection Strategies

  • Implement Content Security Policy (CSP) headers to restrict inline script execution and report violations
  • Monitor web server access logs for requests to /share/ endpoints with suspicious query parameters or referrers
  • Deploy web application firewall rules to detect common XSS payload patterns in HTTP traffic
  • Audit database records for page titles containing potentially malicious HTML or JavaScript content

Monitoring Recommendations

  • Enable CSP reporting to collect data on blocked script executions that may indicate exploitation attempts
  • Configure SIEM alerting for patterns indicative of XSS attacks targeting documentation platforms
  • Monitor for anomalous user session behavior following access to shared page links
  • Review application logs for errors related to malformed page titles or rendering issues

How to Mitigate CVE-2026-24045

Immediate Actions Required

  • Upgrade Docmost to version 0.25.0 or later immediately
  • Audit existing page titles for potentially malicious content and sanitize any suspicious entries
  • Temporarily disable public page sharing functionality if immediate upgrade is not possible
  • Implement Content Security Policy headers to reduce XSS impact while patching is underway

Patch Information

The vulnerability is fixed in Docmost version 0.25.0. The patch introduces proper HTML escaping for page titles using the htmlEscape helper function from the html-escaper library. The fix is applied in the share-seo.controller.ts file, ensuring all user-controlled content is properly encoded before being inserted into HTML context.

Workarounds

  • Disable public page sharing functionality at the application or reverse proxy level until patching is complete
  • Implement a reverse proxy rule to strip or block requests containing common XSS payload patterns in share URLs
  • Deploy a Web Application Firewall (WAF) with XSS protection rules in front of Docmost instances
  • Restrict page creation and modification permissions to trusted users only
bash
# Example: Nginx configuration to add Content Security Policy header
# Add to your Docmost server block configuration

server {
    # ... existing configuration ...
    
    # Add Content Security Policy to mitigate XSS impact
    add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self';" always;
    
    # Optional: Block requests with common XSS patterns in share endpoint
    location /share/ {
        if ($request_uri ~* "(<script|javascript:|onerror=|onload=)") {
            return 403;
        }
        proxy_pass http://docmost_backend;
    }
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.