{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40927", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-15T20:40:15.517Z", "datePublished": "2026-04-21T20:52:29.313Z", "dateUpdated": "2026-04-22T17:42:15.540Z"}, "containers": {"cna": {"title": "Docmost: XSS in Comments with JavaScript URI", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/docmost/docmost/security/advisories/GHSA-4gv6-jw3v-wc34", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/docmost/docmost/security/advisories/GHSA-4gv6-jw3v-wc34"}], "affected": [{"vendor": "docmost", "product": "docmost", "versions": [{"version": "< 0.80.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T20:52:29.313Z"}, "descriptions": [{"lang": "en", "value": "Docmost is open-source collaborative wiki and documentation software. Prior to 0.80.0, when leaving a comment on a page, it is possible to include a JavaScript URI as the link. When a user clicks on the link the JavaScript executes. This vulnerability is fixed in 0.80.0."}], "source": {"advisory": "GHSA-4gv6-jw3v-wc34", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T17:41:58.570551Z", "id": "CVE-2026-40927", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T17:42:15.540Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "Docmost: XSS in Comments with JavaScript URI", "source": {"advisory": "GHSA-4gv6-jw3v-wc34", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "docmost", "product": "docmost", "versions": [{"status": "affected", "version": "< 0.80.0"}]}], "references": [{"url": "https://github.com/docmost/docmost/security/advisories/GHSA-4gv6-jw3v-wc34", "name": "https://github.com/docmost/docmost/security/advisories/GHSA-4gv6-jw3v-wc34", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Docmost is open-source collaborative wiki and documentation software. Prior to 0.80.0, when leaving a comment on a page, it is possible to include a JavaScript URI as the link. When a user clicks on the link the JavaScript executes. This vulnerability is fixed in 0.80.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T20:52:29.313Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40927", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-22T17:41:58.570551Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-04-22T17:42:09.840Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-40927", "state": "PUBLISHED", "dateUpdated": "2026-04-21T20:52:29.313Z", "dateReserved": "2026-04-15T20:40:15.517Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-21T20:52:29.313Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:docmost:docmost:*:*:*:*:*:*:*:*", "matchCriteriaId": "AB509D3E-B633-49F2-85E9-48A9B23B246F", "versionEndExcluding": "0.80.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Docmost is open-source collaborative wiki and documentation software. Prior to 0.80.0, when leaving a comment on a page, it is possible to include a JavaScript URI as the link. When a user clicks on the link the JavaScript executes. This vulnerability is fixed in 0.80.0."}], "id": "CVE-2026-40927", "lastModified": "2026-04-23T15:50:16.280", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T21:16:46.110", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/docmost/docmost/security/advisories/GHSA-4gv6-jw3v-wc34"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.80.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "docmost", "source": "cna", "vendor": "docmost"}, "product": "docmost", "vendor": "docmost"}], "analysis": {"en": {"generated_at": "2026-04-22T06:23:46.885701+00:00", "value": {"mitigation_remediation": ["Upgrade Docmost to version 0.80.0 or later, which removes the vulnerable comment handling code.", "Clean up existing comments that contain JavaScript URIs, either by deleting or escaping them to prevent accidental execution.", "Implement stricter input sanitization for comment content, ensuring that only safe protocols (e.g., http, https, mailto) are allowed and that JavaScript URIs are blocked or rendered as plain text."], "summary": {"action": "Apply Patch", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The affected product is Docmost, an open\u2011source collaborative wiki and documentation platform. All releases prior to version 0.80.0 contain the flaw. The vendor is identified as docmost:docmost.\n", "description_and_impact": "The vulnerability allows an attacker to embed a JavaScript URI in a comment on any Docmost page. When a user clicks that link, the browser executes the JavaScript in the context of the Docmost site, enabling the attacker to run arbitrary code, steal session cookies, modify the page or perform actions as the victim. This is a classic reflected or stored XSS with the potential for phishing, credential theft, or downstream exploitation of other services.\n", "risk_and_exploitability": "The CVSS score of 5.4 indicates a moderate severity. EPSS is not available and the vulnerability is not listed in CISA KEV, suggesting limited widespread exploitation to date. The likely attack vector is remote: any user who can leave a comment can inject the malicious link, and any other user who clicks the link triggers the payload. The risk is that internal users may be exposed if they click user\u2011inserted JavaScript URIs.\n"}}}}, "created": "2026-04-22T03:45:06.830643+00:00", "updated": "2026-04-22T06:30:10.672930+00:00", "vendors": ["docmost", "docmost$PRODUCT$docmost"]}