HTML Sanitization Bypass in Diffmarked.js of CryptPad by CryptPad
CVE-2026-26028

6.1MEDIUM

Key Information:

Vendor: Cryptpad
Status: Cryptpad
Vendor: CVE Published:; 20 May 2026

What is CVE-2026-26028?

CryptPad, an end-to-end encrypted collaborative office suite, is vulnerable due to an incomplete HTML sanitizer in Diffmarked.js that permits attribute bypassing on specific tags. In versions before 2026.2.0, the sanitizer predominantly validates the src attribute for , , and tags, leaving other attributes unchecked. This oversight allows potential attackers to inject arbitrary HTML via the srcdoc attribute, undermining CryptPad's sandboxing mechanisms and leading to possible link injections or the introduction of interactive content within user-generated documents. The underlying issue stems from the treatment of the tag as 'restricted' rather than 'forbidden,' causing the sanitizer validation to focus narrowly on src attributes. This situation was addressed and resolved in version 2026.2.0.

Affected Version(s)

cryptpad < 2026.2.0

References

https://github.com/cryptpad/cryptpad/security/advisories/...

x_refsource_CONFIRM

https://github.com/cryptpad/cryptpad/releases/tag/2026.2.0

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 20, 2026
Vulnerability Reserved
Feb 9, 2026

CVE-2026-26028 Data

JSON

Cryptpad

What is CVE-2026-26028?

Affected Version(s)

References

CVSS V3.1

Timeline