Cyber Resilience

CVE-2026-22249

HighPublic PoC

Published: 15 January 2026

Published
15 January 2026
Modified
22 January 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
EPSS Score 0.0050 39.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-22249 is a high-severity Path Traversal (CWE-22) vulnerability in Docmost Docmost. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Web Shell (T1505.003); ranked at the 39.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-22249 is an Arbitrary File Write vulnerability, stemming from a ZipSlip issue in the Zip Import Feature of Docmost, an open-source collaborative wiki and documentation software. The flaw affects versions from 0.21.0 up to but not including 0.24.0, due to missing filename validation in the file apps/server/src/integrations/import/utils/file.utils.ts. It is classified under CWE-22 (Path Traversal) and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).

An authenticated attacker with low privileges can exploit this vulnerability remotely over the network with low attack complexity and without requiring user interaction. Exploitation enables arbitrary file writes on the server, potentially leading to low integrity impact (I:L) and high availability impact (A:H), such as overwriting critical files or causing denial of service.

The vulnerability has been addressed in Docmost version 0.24.0. Mitigation involves upgrading to this patched release, with details available in the GitHub security advisory (GHSA-54pm-hqxm-54wg), the fixing commit (c3b350d943108552e20654580005cd6f6c78ab05), pull request #1753, and the v0.24.0 release notes.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Docmost is an open-source collaborative wiki and documentation software. From 0.21.0 to before 0.24.0, Docmost is vulnerable to Arbitrary File Write via Zip Import Feature (ZipSlip). In apps/server/src/integrations/import/utils/file.utils.ts, there are no validation on filename. This vulnerability is fixed in 0.24.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
Why these techniques?

Arbitrary file write via ZipSlip/path traversal directly enables writing web shells (T1100) or overwriting critical files for destruction/DoS (T1485).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-24045Same product: Docmost Docmost
CVE-2026-41203Shared CWE-22
CVE-2026-41202Shared CWE-22
CVE-2026-6940Shared CWE-22
CVE-2026-33329Shared CWE-22
CVE-2026-24970Shared CWE-22
CVE-2025-24406Shared CWE-22
CVE-2026-24848Shared CWE-22
CVE-2026-4351Shared CWE-22
CVE-2026-1111Shared CWE-22

Affected Assets

docmost
docmost
0.21.0 — 0.24.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of untrusted input (zip filenames) to reject path traversal sequences before any file write occurs.

prevent

Mandates timely application of the vendor patch (v0.24.0) that adds the missing filename validation in file.utils.ts.

detect

Requires integrity verification mechanisms that can detect unauthorized file overwrites resulting from successful ZipSlip exploitation.

References