Cross-Site Scripting Vulnerability in Docmost Collaborative Software
CVE-2026-34212

5.4MEDIUM

Key Information:

Vendor: Docmost
Status: Docmost
Vendor: CVE Published:; 14 April 2026

What is CVE-2026-34212?

A Cross-Site Scripting (XSS) vulnerability in Docmost open-source collaborative wiki and documentation software allows low-privileged authenticated users to inject malicious javascript: URLs. This occurs due to improper neutralization of attachment URLs, enabling attackers to execute arbitrary JavaScript in the context of the Docmost origin whenever another user views the compromised page and interacts with the attachment. The flaw has been addressed in version 0.71.0.

Affected Version(s)

docmost < 0.71.0

References

https://github.com/docmost/docmost/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 14, 2026
Vulnerability Reserved
Mar 26, 2026

CVE-2026-34212 Data

JSON