CVE-2026-24045 in Docmost
Summary
by MITRE • 02/10/2026
Docmost is open-source collaborative wiki and documentation software. From g and before 0.25.0, the public share page functionality in Docmost does not properly HTML-escape page titles before inserting them into meta tags and the title tag. This allows Stored Cross-Site Scripting (XSS) attacks, where an attacker can execute arbitrary JavaScript in the context of any user who opens a shared page link. This vulnerability is fixed in 0.25.0.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 02/26/2026
The vulnerability CVE-2026-24045 affects Docmost, an open-source collaborative wiki and documentation platform that enables teams to create and share documentation collaboratively. This security flaw exists in versions prior to 0.25.0 and specifically targets the public share page functionality within the application. The issue stems from inadequate input sanitization practices during the rendering of shared content, creating a pathway for malicious actors to inject persistent JavaScript code that executes when users access shared documentation pages. The vulnerability represents a critical security risk as it allows attackers to exploit the application's trust in user-provided content without proper validation or sanitization.
The technical flaw manifests in the application's handling of page titles within meta tags and title elements when generating public share pages. When users create documentation with titles containing malicious HTML or JavaScript content, the system fails to properly HTML-escape these inputs before embedding them into the generated HTML output. This improper sanitization creates a stored XSS vulnerability where the malicious payload is persisted in the application's database and executed every time the shared page is accessed. The vulnerability occurs because the application does not implement proper output encoding for HTML contexts, specifically failing to sanitize user-supplied page titles before they are inserted into meta description tags and title tags that are rendered in the browser.
The operational impact of this vulnerability is severe as it enables attackers to execute arbitrary JavaScript code in the context of any user who accesses a compromised shared page. This creates a persistent threat where malicious actors can steal session cookies, redirect users to malicious sites, perform actions on behalf of users, or even escalate privileges within the application. The stored nature of this vulnerability means that once a malicious title is created and shared, it affects all users who click the link, making it particularly dangerous for collaborative environments where documentation is frequently shared. The vulnerability affects all users of the affected versions regardless of their role or permissions within the system, as the XSS executes in the context of the victim's browser session.
Mitigation strategies for this vulnerability require immediate implementation of proper input sanitization and output encoding practices. Organizations should upgrade to Docmost version 0.25.0 or later, which contains the necessary fixes to prevent HTML injection in meta tags and title elements. The recommended approach involves implementing strict HTML escaping for all user-provided content before rendering it in HTML contexts, particularly in meta tags and title elements. Security practitioners should also consider implementing Content Security Policy headers to limit the execution of inline scripts and prevent unauthorized code execution. Additionally, regular input validation should be enforced at multiple layers including client-side and server-side to ensure that all user-generated content meets security requirements before being stored or rendered. This vulnerability aligns with CWE-79 (Cross-site Scripting) and can be categorized under ATT&CK technique T1566.001 (Phishing with Social Engineering) when used for credential theft purposes, making it a significant concern for enterprise security posture management.