Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-34212

CVE-2026-34212: Docmost Stored XSS Vulnerability

CVE-2026-34212 is a stored cross-site scripting flaw in Docmost that allows authenticated attackers to inject malicious JavaScript via attachment URLs. This post explains its impact, affected versions, and mitigation steps.

Published:

CVE-2026-34212 Overview

CVE-2026-34212 is a stored Cross-Site Scripting (XSS) vulnerability in Docmost, an open-source collaborative wiki and documentation software. The vulnerability exists due to improper neutralization of attachment URLs, allowing a low-privileged authenticated user to store a malicious javascript: URL inside an attachment node in page content. When another user views the page and activates the attachment link or icon, attacker-controlled JavaScript executes in the context of the Docmost origin.

Critical Impact

Authenticated attackers can inject malicious JavaScript that executes in the browsers of other users viewing affected pages, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of victims.

Affected Products

  • Docmost versions prior to 0.71.0

Discovery Timeline

  • 2026-04-14 - CVE CVE-2026-34212 published to NVD
  • 2026-04-14 - Last updated in NVD database

Technical Details for CVE-2026-34212

Vulnerability Analysis

This vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting). The flaw stems from insufficient validation and sanitization of user-supplied URLs within attachment nodes in Docmost's page content system. When a low-privileged authenticated user creates or edits page content, they can embed attachment references with arbitrary URL schemes, including the javascript: protocol.

The attack requires user interaction—specifically, another user must click on the malicious attachment link or icon. Once triggered, the injected JavaScript executes within the security context of the Docmost application origin, granting the attacker access to session tokens, cookies, and the ability to perform actions as the victim user.

Root Cause

The root cause is the lack of proper URL scheme validation when processing attachment URLs. Docmost fails to enforce an allowlist of safe URL protocols (such as http:, https:, or relative paths) when storing and rendering attachment nodes. This oversight allows arbitrary protocol handlers, including javascript:, to be embedded directly into page content.

Attack Vector

The attack is network-based and requires low privileges (any authenticated user can exploit it) combined with user interaction from the victim. An attacker would:

  1. Authenticate to the Docmost instance with any valid user account
  2. Create or edit a page and insert an attachment node
  3. Set the attachment URL to a javascript: URI containing malicious code
  4. Wait for another user (potentially with higher privileges) to view the page and click the attachment

The malicious JavaScript then executes in the victim's browser session, potentially allowing the attacker to steal session cookies, perform actions as the victim, or redirect users to phishing pages.

Detection Methods for CVE-2026-34212

Indicators of Compromise

  • Page content containing attachment nodes with javascript: URL schemes
  • Unexpected JavaScript execution when users interact with attachment links
  • User reports of unusual behavior after clicking attachments in wiki pages
  • Audit logs showing attachment URL modifications containing script payloads

Detection Strategies

  • Implement content security policies (CSP) that restrict inline script execution
  • Monitor page content for suspicious URL patterns, particularly javascript: protocol handlers
  • Review audit logs for page edits that introduce attachment nodes with non-standard URL schemes
  • Deploy web application firewalls (WAF) with rules to detect XSS payloads in stored content

Monitoring Recommendations

  • Enable verbose logging for page content modifications and attachment changes
  • Set up alerts for CSP violation reports that may indicate XSS exploitation attempts
  • Regularly audit stored page content for potentially malicious URL patterns
  • Monitor for unusual session activity that could indicate session hijacking

How to Mitigate CVE-2026-34212

Immediate Actions Required

  • Upgrade Docmost to version 0.71.0 or later immediately
  • Audit existing page content for attachment nodes containing javascript: URLs
  • Review user activity logs for signs of exploitation
  • Consider temporarily restricting attachment creation privileges until patched

Patch Information

Docmost version 0.71.0 addresses this vulnerability by implementing proper URL scheme validation for attachment nodes. Organizations should upgrade to this version or later as soon as possible. For more details, refer to the GitHub Security Advisory.

Workarounds

  • Implement a strict Content Security Policy (CSP) header that blocks inline scripts and javascript: URIs
  • Use a web application firewall to filter requests containing javascript: protocol handlers
  • Restrict page editing permissions to trusted users only until the patch is applied
  • Manually review and sanitize existing page content for suspicious attachment URLs

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.