CVE-2026-22249
Published: 15 January 2026
Summary
CVE-2026-22249 is a high-severity Path Traversal (CWE-22) vulnerability in Docmost Docmost. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Web Shell (T1505.003); ranked at the 39.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-22249 is an Arbitrary File Write vulnerability, stemming from a ZipSlip issue in the Zip Import Feature of Docmost, an open-source collaborative wiki and documentation software. The flaw affects versions from 0.21.0 up to but not including 0.24.0, due to missing filename validation in the file apps/server/src/integrations/import/utils/file.utils.ts. It is classified under CWE-22 (Path Traversal) and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).
An authenticated attacker with low privileges can exploit this vulnerability remotely over the network with low attack complexity and without requiring user interaction. Exploitation enables arbitrary file writes on the server, potentially leading to low integrity impact (I:L) and high availability impact (A:H), such as overwriting critical files or causing denial of service.
The vulnerability has been addressed in Docmost version 0.24.0. Mitigation involves upgrading to this patched release, with details available in the GitHub security advisory (GHSA-54pm-hqxm-54wg), the fixing commit (c3b350d943108552e20654580005cd6f6c78ab05), pull request #1753, and the v0.24.0 release notes.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2856
Vulnerability details
Docmost is an open-source collaborative wiki and documentation software. From 0.21.0 to before 0.24.0, Docmost is vulnerable to Arbitrary File Write via Zip Import Feature (ZipSlip). In apps/server/src/integrations/import/utils/file.utils.ts, there are no validation on filename. This vulnerability is fixed in 0.24.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file write via ZipSlip/path traversal directly enables writing web shells (T1100) or overwriting critical files for destruction/DoS (T1485).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of untrusted input (zip filenames) to reject path traversal sequences before any file write occurs.
Mandates timely application of the vendor patch (v0.24.0) that adds the missing filename validation in file.utils.ts.
Requires integrity verification mechanisms that can detect unauthorized file overwrites resulting from successful ZipSlip exploitation.