Stored Cross-Site Scripting Vulnerability in Docmost Open-Source Software
CVE-2026-24045

7.3HIGH

Key Information:

Vendor

Docmost

Status
Docmost
Vendor
CVE Published:
10 February 2026

What is CVE-2026-24045?

Docmost, an open-source collaborative wiki and documentation software, has a security vulnerability in its public share page feature. Prior to version 0.25.0, the application fails to properly HTML-escape page titles before embedding them into meta tags and the title tag. This oversight creates a vector for stored XSS attacks, enabling attackers to inject arbitrary JavaScript that can execute in the context of any user who accesses a shared page link. Users are advised to update to version 0.25.0 or later to mitigate this risk.

Affected Version(s)

docmost >= 0.20.0, < 0.25.0

References

https://github.com/docmost/docmost/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/docmost/docmost/commit/f3f74c591f32f85...
x_refsource_MISC
https://github.com/docmost/docmost/releases/tag/v0.25.0
x_refsource_MISC

CVSS V3.1

Score:
7.3
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.