Vulnerability Description
HedgeDoc is an open source, real-time, collaborative, markdown notes application. Prior to 1.10.6, files served below the /uploads/ endpoint did not use a more strict security-policy. This resulted in a too open Content-Security-Policy and furthermore opened the possibility to host malicious interactive web content (such as fake login forms) using SVG files. This vulnerability is fixed in 1.10.6.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Hedgedoc | Hedgedoc | < 1.10.6 |
Related Weaknesses (CWE)
References
- https://github.com/hedgedoc/hedgedoc/commit/74daa0e7a1cbfafd9aeb255eaf064dfe47cdPatch
- https://github.com/hedgedoc/hedgedoc/commit/b930fe04cee92cd4723044030bb59c36781cPatch
- https://github.com/hedgedoc/hedgedoc/releases/tag/1.10.6ProductRelease Notes
- https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-x74j-jmf9-534wPatchVendor Advisory
FAQ
What is CVE-2026-25642?
CVE-2026-25642 is a vulnerability with a CVSS score of 4.3 (MEDIUM). HedgeDoc is an open source, real-time, collaborative, markdown notes application. Prior to 1.10.6, files served below the /uploads/ endpoint did not use a more strict security-policy. This resulted in...
How severe is CVE-2026-25642?
CVE-2026-25642 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-25642?
Check the references section above for vendor advisories and patch information. Affected products include: Hedgedoc Hedgedoc.