Stored HTML Injection in HedgeDoc Affected by Unsafe Email Handling
CVE-2026-58487

5.1MEDIUM

Key Information:

Vendor

Hedgedoc

Status
Vendor
CVE Published:
13 July 2026

What is CVE-2026-58487?

HedgeDoc, a collaborative markdown note-taking application, suffers from a vulnerability allowing stored HTML injection due to improper handling of the local-part of registered email addresses. An attacker can register with a specially crafted email address, leading to arbitrary HTML being injected into multiple user-facing views, including published content and collaborative editors. Although the deployed Content-Security-Policy mitigates straightforward JavaScript execution, attackers can still manipulate page content and load external resources using malicious markup, posing a significant risk to users. This vulnerability was resolved in HedgeDoc version 1.11.0.

Affected Version(s)

hedgedoc < 1.11.0

References

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.