{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23630", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-14T16:08:37.482Z", "datePublished": "2026-01-21T22:51:27.158Z", "dateUpdated": "2026-01-22T16:49:01.024Z"}, "containers": {"cna": {"title": "Docmost is vulnerable to stored Cross-Site Scripting (XSS) through Mermaid rendering", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-116", "lang": "en", "description": "CWE-116: Improper Encoding or Escaping of Output", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/docmost/docmost/security/advisories/GHSA-r4hj-mc62-jmwj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/docmost/docmost/security/advisories/GHSA-r4hj-mc62-jmwj"}, {"name": "https://github.com/docmost/docmost/commit/cb9f27da9a8b4940760e37e5238a1eb91e427daf", "tags": ["x_refsource_MISC"], "url": "https://github.com/docmost/docmost/commit/cb9f27da9a8b4940760e37e5238a1eb91e427daf"}, {"name": "https://github.com/docmost/docmost/releases/tag/v0.24.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/docmost/docmost/releases/tag/v0.24.0"}], "affected": [{"vendor": "docmost", "product": "docmost", "versions": [{"version": ">= 0.3.0, < 0.24.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-21T22:51:27.158Z"}, "descriptions": [{"lang": "en", "value": "Docmost is open-source collaborative wiki and documentation software. In versions 0.3.0 through 0.23.2, Mermaid code block rendering is vulnerable to stored Cross-Site Scripting (XSS). The frontend can render attacker-controlled Mermaid diagrams using mermaid.render(), then inject the returned SVG/HTML into the DOM via dangerouslySetInnerHTML without sanitization. Mermaid per-diagram %%{init}%% directives allow overriding securityLevel and enabling htmlLabels, permitting arbitrary HTML/JS execution for any viewer. This issue has been fixed in version 0.24.0."}], "source": {"advisory": "GHSA-r4hj-mc62-jmwj", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-22T15:09:16.399808Z", "id": "CVE-2026-23630", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-22T16:49:01.024Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23630", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-22T15:09:16.399808Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-22T15:09:17.688Z"}}], "cna": {"title": "Docmost is vulnerable to stored Cross-Site Scripting (XSS) through Mermaid rendering", "source": {"advisory": "GHSA-r4hj-mc62-jmwj", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "docmost", "product": "docmost", "versions": [{"status": "affected", "version": ">= 0.3.0, < 0.24.0"}]}], "references": [{"url": "https://github.com/docmost/docmost/security/advisories/GHSA-r4hj-mc62-jmwj", "name": "https://github.com/docmost/docmost/security/advisories/GHSA-r4hj-mc62-jmwj", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/docmost/docmost/commit/cb9f27da9a8b4940760e37e5238a1eb91e427daf", "name": "https://github.com/docmost/docmost/commit/cb9f27da9a8b4940760e37e5238a1eb91e427daf", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/docmost/docmost/releases/tag/v0.24.0", "name": "https://github.com/docmost/docmost/releases/tag/v0.24.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Docmost is open-source collaborative wiki and documentation software. In versions 0.3.0 through 0.23.2, Mermaid code block rendering is vulnerable to stored Cross-Site Scripting (XSS). The frontend can render attacker-controlled Mermaid diagrams using mermaid.render(), then inject the returned SVG/HTML into the DOM via dangerouslySetInnerHTML without sanitization. Mermaid per-diagram %%{init}%% directives allow overriding securityLevel and enabling htmlLabels, permitting arbitrary HTML/JS execution for any viewer. This issue has been fixed in version 0.24.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-116", "description": "CWE-116: Improper Encoding or Escaping of Output"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-21T22:51:27.158Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23630", "state": "PUBLISHED", "dateUpdated": "2026-01-22T16:49:01.024Z", "dateReserved": "2026-01-14T16:08:37.482Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-21T22:51:27.158Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:docmost:docmost:*:*:*:*:*:*:*:*", "matchCriteriaId": "6CC11D0B-FC45-4B78-A37D-CD653CD33D2E", "versionEndExcluding": "0.24.0", "versionStartIncluding": "0.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Docmost is open-source collaborative wiki and documentation software. In versions 0.3.0 through 0.23.2, Mermaid code block rendering is vulnerable to stored Cross-Site Scripting (XSS). The frontend can render attacker-controlled Mermaid diagrams using mermaid.render(), then inject the returned SVG/HTML into the DOM via dangerouslySetInnerHTML without sanitization. Mermaid per-diagram %%{init}%% directives allow overriding securityLevel and enabling htmlLabels, permitting arbitrary HTML/JS execution for any viewer. This issue has been fixed in version 0.24.0."}], "id": "CVE-2026-23630", "lastModified": "2026-02-17T16:50:10.463", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-21T23:15:52.187", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/docmost/docmost/commit/cb9f27da9a8b4940760e37e5238a1eb91e427daf"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/docmost/docmost/releases/tag/v0.24.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/docmost/docmost/security/advisories/GHSA-r4hj-mc62-jmwj"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-116"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T15:30:34.957716+00:00", "value": {"mitigation_remediation": ["Upgrade Docmost to version 0.24.0 or later to receive the fix for this stored XSS vulnerability. ", "If an upgrade cannot be performed immediately, remove the ability for users to create new Mermaid diagrams or enforce strict sanitization of diagram output to strip out HTML elements. ", "Configure the application to disable Mermaid htmlLabels or set the securityLevel to \"strict\" for all diagrams, ensuring that no user supplied JavaScript can execute."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting allowing arbitrary JavaScript execution for any viewer"}, "threat_synthesis": {"affected_systems": "The vulnerability is present in the open\u2011source collaborative wiki software Docmost. All deployments of Docmost from version 0.3.0 up to and including 0.23.2 are affected. Version 0.24.0 and later contain the fix.", "description_and_impact": "In Docmost versions 0.3.0 through 0.23.2, Mermaid code blocks are rendered by the frontend using mermaid.render(), which returns SVG/HTML. That output is inserted into the page via dangerouslySetInnerHTML without any sanitization. The Mermaid API supports in\u2011diagram %%{init}%% directives that can change securityLevel and enable htmlLabels, permitting an attacker to embed arbitrary HTML or JavaScript. Once a victim views a page containing such a malicious Mermaid block, the code runs in the victim\u2019s browser, potentially compromising confidentiality, integrity, or availability of the user session or data. This is a classic stored XSS flaw, classified as CWE\u201179 and CWE\u2011116. The likely attack vector is a victim opening a page that contains a malicious Mermaid diagram, as inferred from the described stored nature of the flaw.\n\nBased on the description, it is inferred that an attacker must create or modify a Mermaid diagram and populate it within a page that a target can view. The flaw is enabled by Mermaid per\u2011diagram %%{init}%% directives that allow an attacker to override securityLevel and enable htmlLabels, thereby injecting arbitrary HTML or JavaScript.\n\nThe vulnerability enables arbitrary code execution in the context of any user who views the affected page, allowing the compromise of the user session and potentially data accessed by that session.\n", "risk_and_exploitability": "The CVSS score of 6.3 indicates moderate severity, while the EPSS score of less than 1% suggests a low likelihood of active exploitation at this time. The vulnerability is not listed in CISA\u2019s KEV catalog. Based on the description, it is inferred that an attacker would need to create or modify a Mermaid diagram in a page that the victim can view. Because the flaw is stored, any user who opens the document can be compromised, making the risk significant for shared or public sites. Prompt patching reduces the attack surface and mitigates the potential for widespread compromise.\n"}}}}, "created": "2026-01-22T10:08:44.275063+00:00", "updated": "2026-04-18T15:45:04.261892+00:00", "vendors": ["docmost", "docmost$PRODUCT$docmost"]}