CVE-2026-43887 Overview
CVE-2026-43887 is a stored cross-site scripting (XSS) vulnerability in Outline, a collaborative documentation service. The flaw affects versions 0.84.0 through 1.6.1. The Outline comment section allows users to mention other users, but the backend does not validate or sanitize the href attribute associated with these mentions. Attackers can inject dangerous protocols such as javascript: into mention links, leading to client-side code execution when other users interact with the comment. The issue is tracked under [CWE-79] and is fixed in version 1.7.0.
Critical Impact
Authenticated attackers can execute arbitrary JavaScript in victim browsers by crafting malicious mentions, enabling session theft, account takeover, and unauthorized actions against Outline workspaces.
Affected Products
- Outline versions 0.84.0 through 1.6.1
- Self-hosted Outline deployments running affected versions
- Outline cloud workspaces running affected backend versions
Discovery Timeline
- 2026-05-11 - CVE-2026-43887 published to NVD
- 2026-05-15 - Last updated in NVD database
Technical Details for CVE-2026-43887
Vulnerability Analysis
The vulnerability resides in the comment subsystem of Outline. Comments support user mentions rendered as hyperlinks containing an href attribute. The backend accepts mention payloads from clients without validating the protocol scheme of the href value.
Because the application trusts the supplied href, an attacker can submit a mention referencing a non-HTTP scheme such as javascript:. When another authenticated user views the comment and clicks the mention, the browser evaluates the JavaScript expression in the context of the Outline origin.
This grants the attacker access to the victim's authenticated session, cookies accessible to scripts, and the ability to issue API calls as the victim. The flaw maps to [CWE-79] Improper Neutralization of Input During Web Page Generation.
Root Cause
The root cause is missing server-side allowlist validation for URL schemes on mention href attributes. The backend stores attacker-controlled values verbatim, and the frontend renders them as active hyperlinks. Standard XSS hardening requires restricting href values to safe protocols such as http, https, and mailto. Outline did not enforce this allowlist before version 1.7.0.
Attack Vector
Exploitation requires an authenticated user with permission to post comments. The attacker crafts a comment mention where the href attribute is set to javascript: followed by arbitrary code. The malicious comment persists in the document. When a victim user opens the document and activates the mention link, the embedded JavaScript executes in the victim's browser session.
User interaction is required to trigger code execution, but the stored nature of the payload allows targeting any user who accesses the affected document.
No verified public exploit code is available. See the GitHub Security Advisory for technical details published by the maintainers.
Detection Methods for CVE-2026-43887
Indicators of Compromise
- Comment records containing mention elements whose href attribute begins with javascript:, data:, or vbscript: schemes.
- Outbound HTTP requests from user browsers to attacker-controlled domains shortly after opening Outline documents.
- Unexpected API calls to Outline endpoints originating from valid user sessions without corresponding user activity.
Detection Strategies
- Query the Outline database for comment payloads containing non-allowlisted URL schemes in mention href values.
- Inspect web server and reverse proxy logs for unusual referer chains from Outline document URLs to external destinations.
- Review Content Security Policy (CSP) violation reports if CSP is deployed, focusing on script-src and inline-script violations.
Monitoring Recommendations
- Enable verbose audit logging for comment create and update operations in Outline.
- Forward Outline application logs and proxy access logs to a centralized SIEM for correlation against user session anomalies.
- Alert on session token usage from multiple IP addresses or user agents within short time windows, indicating possible token theft.
How to Mitigate CVE-2026-43887
Immediate Actions Required
- Upgrade Outline to version 1.7.0 or later on all self-hosted and managed deployments.
- Audit existing comments for stored payloads containing javascript:, data:, or other unsafe URL schemes in mention href attributes.
- Rotate session tokens and API keys for users who may have viewed suspicious comments since the affected versions were deployed.
Patch Information
The vulnerability is fixed in Outline 1.7.0. The patch enforces validation and sanitization of the href attribute on mention elements, restricting allowed protocols to safe schemes. Refer to the GitHub Security Advisory GHSA-rqrg-f3qc-xvgh for the official advisory and patch references.
Workarounds
- Deploy a strict Content Security Policy that blocks inline script execution and restricts script sources to trusted origins.
- Restrict comment creation permissions to trusted users until the patch can be applied.
- Use a reverse proxy or web application firewall rule to inspect and reject Outline API requests containing javascript: strings in mention payloads.
# Configuration example: upgrade self-hosted Outline via Docker
docker pull outlinewiki/outline:1.7.0
docker compose down
docker compose up -d
# Verify the running version
docker exec -it outline node -e "console.log(require('./package.json').version)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

