{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22249", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-07T05:19:12.921Z", "datePublished": "2026-01-15T18:43:56.263Z", "dateUpdated": "2026-01-15T19:08:26.158Z"}, "containers": {"cna": {"title": "Docmost affected by an Arbitrary File Write via Zip Import Feature (ZipSlip)", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/docmost/docmost/security/advisories/GHSA-54pm-hqxm-54wg", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/docmost/docmost/security/advisories/GHSA-54pm-hqxm-54wg"}, {"name": "https://github.com/docmost/docmost/pull/1753", "tags": ["x_refsource_MISC"], "url": "https://github.com/docmost/docmost/pull/1753"}, {"name": "https://github.com/docmost/docmost/commit/c3b350d943108552e20654580005cd6f6c78ab05", "tags": ["x_refsource_MISC"], "url": "https://github.com/docmost/docmost/commit/c3b350d943108552e20654580005cd6f6c78ab05"}, {"name": "https://github.com/docmost/docmost/releases/tag/v0.24.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/docmost/docmost/releases/tag/v0.24.0"}], "affected": [{"vendor": "docmost", "product": "docmost", "versions": [{"version": "< 0.24.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-15T18:43:56.263Z"}, "descriptions": [{"lang": "en", "value": "Docmost is an open-source collaborative wiki and documentation software. From 0.21.0 to before 0.24.0, Docmost is vulnerable to Arbitrary File Write via Zip Import Feature (ZipSlip). In apps/server/src/integrations/import/utils/file.utils.ts, there are no validation on filename. This vulnerability is fixed in 0.24.0."}], "source": {"advisory": "GHSA-54pm-hqxm-54wg", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/docmost/docmost/security/advisories/GHSA-54pm-hqxm-54wg", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-15T19:08:23.115194Z", "id": "CVE-2026-22249", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-15T19:08:26.158Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22249", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-15T19:08:23.115194Z"}}}], "references": [{"url": "https://github.com/docmost/docmost/security/advisories/GHSA-54pm-hqxm-54wg", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-15T19:08:18.085Z"}}], "cna": {"title": "Docmost affected by an Arbitrary File Write via Zip Import Feature (ZipSlip)", "source": {"advisory": "GHSA-54pm-hqxm-54wg", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "docmost", "product": "docmost", "versions": [{"status": "affected", "version": "< 0.24.0"}]}], "references": [{"url": "https://github.com/docmost/docmost/security/advisories/GHSA-54pm-hqxm-54wg", "name": "https://github.com/docmost/docmost/security/advisories/GHSA-54pm-hqxm-54wg", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/docmost/docmost/pull/1753", "name": "https://github.com/docmost/docmost/pull/1753", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/docmost/docmost/commit/c3b350d943108552e20654580005cd6f6c78ab05", "name": "https://github.com/docmost/docmost/commit/c3b350d943108552e20654580005cd6f6c78ab05", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/docmost/docmost/releases/tag/v0.24.0", "name": "https://github.com/docmost/docmost/releases/tag/v0.24.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Docmost is an open-source collaborative wiki and documentation software. From 0.21.0 to before 0.24.0, Docmost is vulnerable to Arbitrary File Write via Zip Import Feature (ZipSlip). In apps/server/src/integrations/import/utils/file.utils.ts, there are no validation on filename. This vulnerability is fixed in 0.24.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-15T18:43:56.263Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22249", "state": "PUBLISHED", "dateUpdated": "2026-01-15T19:08:26.158Z", "dateReserved": "2026-01-07T05:19:12.921Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-15T18:43:56.263Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:docmost:docmost:*:*:*:*:*:*:*:*", "matchCriteriaId": "6B3C6E1E-C674-45AA-A3B0-6518B205D8B5", "versionEndExcluding": "0.24.0", "versionStartIncluding": "0.21.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Docmost is an open-source collaborative wiki and documentation software. From 0.21.0 to before 0.24.0, Docmost is vulnerable to Arbitrary File Write via Zip Import Feature (ZipSlip). In apps/server/src/integrations/import/utils/file.utils.ts, there are no validation on filename. This vulnerability is fixed in 0.24.0."}], "id": "CVE-2026-22249", "lastModified": "2026-01-22T15:44:51.040", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-15T19:16:05.527", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/docmost/docmost/commit/c3b350d943108552e20654580005cd6f6c78ab05"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/docmost/docmost/pull/1753"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/docmost/docmost/releases/tag/v0.24.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/docmost/docmost/security/advisories/GHSA-54pm-hqxm-54wg"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/docmost/docmost/security/advisories/GHSA-54pm-hqxm-54wg"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T16:10:14.529576+00:00", "value": {"mitigation_remediation": ["Upgrade Docmost to version 0.24.0 or later, which implements strict validation of filenames during zip extraction.", "If an upgrade cannot be performed immediately, restrict usage of the zip import function to trusted administrators or temporarily disable the endpoint to prevent unintended file writes.", "As a temporary defense, add server\u2011side validation that strips leading slashes, normalizes paths, and rejects entries containing path traversal sequences before performing the extraction."], "summary": {"action": "Apply Patch", "impact": "Arbitrary File Write"}, "threat_synthesis": {"affected_systems": "The issue affects all Docmost instances running versions 0.21.0 through 0.23.x, inclusive. Any installation that exposes the zip import endpoint to users\u2014whether via the web UI or API\u2014falls within the impacted range. The fix is addressed in release 0.24.0, which adds filename validation before extraction.", "description_and_impact": "Docmost\u2019s Zip Import feature allows uploading compressed archives containing files. Because the implementation performs no validation on the listed filenames, an attacker can craft archive entries whose names include directory traversal components or absolute paths, causing the server to write files anywhere on the filesystem that the process can reach. This vulnerability, classified as CWE\u201122, permits arbitrary file creation or overwrite, potentially compromising data integrity and confidentiality. Based on the description, it is inferred that if the application later executes or loads the written files, this could enable remote code execution or configuration tampering, though such a consequence has not been demonstrated in the supplied advisory.", "risk_and_exploitability": "With a CVSS score of 7.1, the flaw is considered moderate to high in severity. The EPSS score of less than 1\u202f% indicates a currently low likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Attackers would need to supply a malicious zip file, presumably via an upload API or web form; the lack of validation allows arbitrary relative paths to map to server locations during extraction. Successful exploitation requires only the ability to upload a zip and that the server process has write permission to the target directories."}}}}, "created": "2026-01-16T13:43:13.275926+00:00", "updated": "2026-04-18T16:15:04.605353+00:00", "vendors": ["docmost", "docmost$PRODUCT$docmost"]}