Stored HTML Injection in HedgeDoc Affected by Unsafe Email Handling
CVE-2026-58487
5.1MEDIUM
What is CVE-2026-58487?
HedgeDoc, a collaborative markdown note-taking application, suffers from a vulnerability allowing stored HTML injection due to improper handling of the local-part of registered email addresses. An attacker can register with a specially crafted email address, leading to arbitrary HTML being injected into multiple user-facing views, including published content and collaborative editors. Although the deployed Content-Security-Policy mitigates straightforward JavaScript execution, attackers can still manipulate page content and load external resources using malicious markup, posing a significant risk to users. This vulnerability was resolved in HedgeDoc version 1.11.0.
Affected Version(s)
hedgedoc < 1.11.0
