Vulnerability Description
Docmost is open-source collaborative wiki and documentation software. In versions 0.3.0 through 0.23.2, Mermaid code block rendering is vulnerable to stored Cross-Site Scripting (XSS). The frontend can render attacker-controlled Mermaid diagrams using mermaid.render(), then inject the returned SVG/HTML into the DOM via dangerouslySetInnerHTML without sanitization. Mermaid per-diagram %%{init}%% directives allow overriding securityLevel and enabling htmlLabels, permitting arbitrary HTML/JS execution for any viewer. This issue has been fixed in version 0.24.0.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Docmost | Docmost | >= 0.3.0, < 0.24.0 |
Related Weaknesses (CWE)
References
- https://github.com/docmost/docmost/commit/cb9f27da9a8b4940760e37e5238a1eb91e427dPatch
- https://github.com/docmost/docmost/releases/tag/v0.24.0ProductRelease Notes
- https://github.com/docmost/docmost/security/advisories/GHSA-r4hj-mc62-jmwjExploitVendor Advisory
FAQ
What is CVE-2026-23630?
CVE-2026-23630 is a vulnerability with a CVSS score of 5.4 (MEDIUM). Docmost is open-source collaborative wiki and documentation software. In versions 0.3.0 through 0.23.2, Mermaid code block rendering is vulnerable to stored Cross-Site Scripting (XSS). The frontend ca...
How severe is CVE-2026-23630?
CVE-2026-23630 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-23630?
Check the references section above for vendor advisories and patch information. Affected products include: Docmost Docmost.