{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25642", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-04T05:15:41.791Z", "datePublished": "2026-02-06T19:23:59.991Z", "dateUpdated": "2026-02-06T20:20:58.376Z"}, "containers": {"cna": {"title": "HedgeDoc security headers for uploaded files were not working", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-x74j-jmf9-534w", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-x74j-jmf9-534w"}, {"name": "https://github.com/hedgedoc/hedgedoc/commit/74daa0e7a1cbfafd9aeb255eaf064dfe47cd401c", "tags": ["x_refsource_MISC"], "url": "https://github.com/hedgedoc/hedgedoc/commit/74daa0e7a1cbfafd9aeb255eaf064dfe47cd401c"}, {"name": "https://github.com/hedgedoc/hedgedoc/commit/b930fe04cee92cd4723044030bb59c36781c7137", "tags": ["x_refsource_MISC"], "url": "https://github.com/hedgedoc/hedgedoc/commit/b930fe04cee92cd4723044030bb59c36781c7137"}, {"name": "https://github.com/hedgedoc/hedgedoc/releases/tag/1.10.6", "tags": ["x_refsource_MISC"], "url": "https://github.com/hedgedoc/hedgedoc/releases/tag/1.10.6"}], "affected": [{"vendor": "hedgedoc", "product": "hedgedoc", "versions": [{"version": "< 1.10.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-06T19:23:59.991Z"}, "descriptions": [{"lang": "en", "value": "HedgeDoc is an open source, real-time, collaborative, markdown notes application. Prior to 1.10.6, files served below the /uploads/ endpoint did not use a more strict security-policy. This resulted in a too open Content-Security-Policy and furthermore opened the possibility to host malicious interactive web content (such as fake login forms) using SVG files. This vulnerability is fixed in 1.10.6."}], "source": {"advisory": "GHSA-x74j-jmf9-534w", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-06T20:20:51.864945Z", "id": "CVE-2026-25642", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-06T20:20:58.376Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25642", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-06T20:20:51.864945Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-06T20:20:54.316Z"}}], "cna": {"title": "HedgeDoc security headers for uploaded files were not working", "source": {"advisory": "GHSA-x74j-jmf9-534w", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "hedgedoc", "product": "hedgedoc", "versions": [{"status": "affected", "version": "< 1.10.6"}]}], "references": [{"url": "https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-x74j-jmf9-534w", "name": "https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-x74j-jmf9-534w", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/hedgedoc/hedgedoc/commit/74daa0e7a1cbfafd9aeb255eaf064dfe47cd401c", "name": "https://github.com/hedgedoc/hedgedoc/commit/74daa0e7a1cbfafd9aeb255eaf064dfe47cd401c", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/hedgedoc/hedgedoc/commit/b930fe04cee92cd4723044030bb59c36781c7137", "name": "https://github.com/hedgedoc/hedgedoc/commit/b930fe04cee92cd4723044030bb59c36781c7137", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/hedgedoc/hedgedoc/releases/tag/1.10.6", "name": "https://github.com/hedgedoc/hedgedoc/releases/tag/1.10.6", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "HedgeDoc is an open source, real-time, collaborative, markdown notes application. Prior to 1.10.6, files served below the /uploads/ endpoint did not use a more strict security-policy. This resulted in a too open Content-Security-Policy and furthermore opened the possibility to host malicious interactive web content (such as fake login forms) using SVG files. This vulnerability is fixed in 1.10.6."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-06T19:23:59.991Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25642", "state": "PUBLISHED", "dateUpdated": "2026-02-06T20:20:58.376Z", "dateReserved": "2026-02-04T05:15:41.791Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-06T19:23:59.991Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hedgedoc:hedgedoc:*:*:*:*:*:*:*:*", "matchCriteriaId": "EAB0E1A5-8DC9-4EEB-ADA5-12A10143EE18", "versionEndExcluding": "1.10.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "HedgeDoc is an open source, real-time, collaborative, markdown notes application. Prior to 1.10.6, files served below the /uploads/ endpoint did not use a more strict security-policy. This resulted in a too open Content-Security-Policy and furthermore opened the possibility to host malicious interactive web content (such as fake login forms) using SVG files. This vulnerability is fixed in 1.10.6."}], "id": "CVE-2026-25642", "lastModified": "2026-02-25T14:45:01.257", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-06T20:16:11.437", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/hedgedoc/hedgedoc/commit/74daa0e7a1cbfafd9aeb255eaf064dfe47cd401c"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/hedgedoc/hedgedoc/commit/b930fe04cee92cd4723044030bb59c36781c7137"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/hedgedoc/hedgedoc/releases/tag/1.10.6"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-x74j-jmf9-534w"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-17T22:30:42.594628+00:00", "value": {"mitigation_remediation": ["Update HedgeDoc to version 1.10.6 or later.", "If upgrading is not immediately possible, restrict the /uploads/ path to serve only safe file types and validate uploaded content more strictly.", "Manually enforce a stricter Content\u2011Security\u2011Policy for files served from the /uploads/ endpoint, for example by setting \"Content\u2011Security\u2011Policy: default-src 'none'; script-src 'none'; object-src 'none';\" to prevent execution of SVG scripts."], "summary": {"action": "Patch", "impact": "Potential malicious interactive content execution via overly permissive Content\u2011Security\u2011Policy"}, "threat_synthesis": {"affected_systems": "Affected deployments include any HedgeDoc installation running the hedgedoc/hedgedoc package before version 1.10.6, where files are accessible via the /uploads/ URL. The patch is available in release 1.10.6, so any system not yet upgraded to that version is vulnerable.", "description_and_impact": "The vulnerability arises from insecure Content\u2011Security\u2011Policy headers on files served under the /uploads/ endpoint in HedgeDoc versions prior to 1.10.6. A too\u2011open policy allows an attacker to upload interactive web content, such as maliciously crafted SVG files or fake login forms, that the browser will execute within the context of the application. This weakness, identified as CWE\u201179, enables cross\u2011site scripting\u2011like payloads to run in a logged\u2011in user\u2019s browser, potentially compromising confidentiality or integrity of that user\u2019s session.", "risk_and_exploitability": "The CVSS base score of 4.3 indicates a moderate severity. The EPSS score of less than 1% reflects a low probability of exploitation, and the vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires the attacker to supply a crafted SVG file and for a user to view it, a scenario that often relies on social engineering or internal compromise of the upload functionality. While the risk is primarily to users who view uploaded content they did not create, administrators should treat it as a medium\u2011risk issue until the patch is applied."}}}}, "created": "2026-02-09T10:50:20.942491+00:00", "updated": "2026-04-17T22:45:29.914879+00:00", "vendors": ["hedgedoc", "hedgedoc$PRODUCT$hedgedoc"]}