Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-43887

CVE-2026-43887: Outline Collaborative XSS Vulnerability

CVE-2026-43887 is a cross-site scripting flaw in Outline collaborative documentation that allows attackers to execute malicious code through unsanitized user mentions. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-43887 Overview

CVE-2026-43887 is a stored cross-site scripting (XSS) vulnerability in Outline, a collaborative documentation service. The flaw affects versions 0.84.0 through 1.6.1. The Outline comment section allows users to mention other users, but the backend does not validate or sanitize the href attribute associated with these mentions. Attackers can inject dangerous protocols such as javascript: into mention links, leading to client-side code execution when other users interact with the comment. The issue is tracked under [CWE-79] and is fixed in version 1.7.0.

Critical Impact

Authenticated attackers can execute arbitrary JavaScript in victim browsers by crafting malicious mentions, enabling session theft, account takeover, and unauthorized actions against Outline workspaces.

Affected Products

  • Outline versions 0.84.0 through 1.6.1
  • Self-hosted Outline deployments running affected versions
  • Outline cloud workspaces running affected backend versions

Discovery Timeline

  • 2026-05-11 - CVE-2026-43887 published to NVD
  • 2026-05-15 - Last updated in NVD database

Technical Details for CVE-2026-43887

Vulnerability Analysis

The vulnerability resides in the comment subsystem of Outline. Comments support user mentions rendered as hyperlinks containing an href attribute. The backend accepts mention payloads from clients without validating the protocol scheme of the href value.

Because the application trusts the supplied href, an attacker can submit a mention referencing a non-HTTP scheme such as javascript:. When another authenticated user views the comment and clicks the mention, the browser evaluates the JavaScript expression in the context of the Outline origin.

This grants the attacker access to the victim's authenticated session, cookies accessible to scripts, and the ability to issue API calls as the victim. The flaw maps to [CWE-79] Improper Neutralization of Input During Web Page Generation.

Root Cause

The root cause is missing server-side allowlist validation for URL schemes on mention href attributes. The backend stores attacker-controlled values verbatim, and the frontend renders them as active hyperlinks. Standard XSS hardening requires restricting href values to safe protocols such as http, https, and mailto. Outline did not enforce this allowlist before version 1.7.0.

Attack Vector

Exploitation requires an authenticated user with permission to post comments. The attacker crafts a comment mention where the href attribute is set to javascript: followed by arbitrary code. The malicious comment persists in the document. When a victim user opens the document and activates the mention link, the embedded JavaScript executes in the victim's browser session.

User interaction is required to trigger code execution, but the stored nature of the payload allows targeting any user who accesses the affected document.

No verified public exploit code is available. See the GitHub Security Advisory for technical details published by the maintainers.

Detection Methods for CVE-2026-43887

Indicators of Compromise

  • Comment records containing mention elements whose href attribute begins with javascript:, data:, or vbscript: schemes.
  • Outbound HTTP requests from user browsers to attacker-controlled domains shortly after opening Outline documents.
  • Unexpected API calls to Outline endpoints originating from valid user sessions without corresponding user activity.

Detection Strategies

  • Query the Outline database for comment payloads containing non-allowlisted URL schemes in mention href values.
  • Inspect web server and reverse proxy logs for unusual referer chains from Outline document URLs to external destinations.
  • Review Content Security Policy (CSP) violation reports if CSP is deployed, focusing on script-src and inline-script violations.

Monitoring Recommendations

  • Enable verbose audit logging for comment create and update operations in Outline.
  • Forward Outline application logs and proxy access logs to a centralized SIEM for correlation against user session anomalies.
  • Alert on session token usage from multiple IP addresses or user agents within short time windows, indicating possible token theft.

How to Mitigate CVE-2026-43887

Immediate Actions Required

  • Upgrade Outline to version 1.7.0 or later on all self-hosted and managed deployments.
  • Audit existing comments for stored payloads containing javascript:, data:, or other unsafe URL schemes in mention href attributes.
  • Rotate session tokens and API keys for users who may have viewed suspicious comments since the affected versions were deployed.

Patch Information

The vulnerability is fixed in Outline 1.7.0. The patch enforces validation and sanitization of the href attribute on mention elements, restricting allowed protocols to safe schemes. Refer to the GitHub Security Advisory GHSA-rqrg-f3qc-xvgh for the official advisory and patch references.

Workarounds

  • Deploy a strict Content Security Policy that blocks inline script execution and restricts script sources to trusted origins.
  • Restrict comment creation permissions to trusted users until the patch can be applied.
  • Use a reverse proxy or web application firewall rule to inspect and reject Outline API requests containing javascript: strings in mention payloads.
bash
# Configuration example: upgrade self-hosted Outline via Docker
docker pull outlinewiki/outline:1.7.0
docker compose down
docker compose up -d

# Verify the running version
docker exec -it outline node -e "console.log(require('./package.json').version)"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.