Path Traversal Vulnerability in Outline Service
CVE-2026-25062

5.5MEDIUM

Key Information:

Vendor: Outline
Status: Outline
Vendor: CVE Published:; 11 February 2026

What is CVE-2026-25062?

The Outline Service, which facilitates collaborative documentation, was found to have a vulnerability in its JSON import process prior to version 1.4.0. Specifically, the service inadequately handled the value of attachments[].key from the imported JSON, allowing an attacker to exploit this oversight. By injecting path traversal sequences or absolute paths, an attacker could gain access to arbitrary files on the server through the file system, leading to potential data exposure. This critical issue has been addressed in version 1.4.0 of the Outline Service.

Affected Version(s)

outline < 1.4.0

References

https://github.com/outline/outline/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/outline/outline/releases/tag/v1.4.0

x_refsource_MISC

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 11, 2026
Vulnerability Reserved
Jan 28, 2026

CVE-2026-25062 Data

JSON