CVE-2026-22867
Published: 15 January 2026
Summary
CVE-2026-22867 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Lasuite Docs. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 16.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2026-22867 is a Stored Cross-Site Scripting (XSS) vulnerability, classified under CWE-79, affecting LaSuite Doc, a collaborative note-taking, wiki, and documentation platform. The issue resides in the Interlinking feature across versions 3.8.0 through 4.3.0, where the editor fails to validate URLs used in links to other documents. This allows injection of malicious javascript: URLs. The vulnerability carries a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N), indicating high severity due to its network accessibility, low attack complexity, and potential for high confidentiality and integrity impacts with cross-origin privileges.
An attacker with document editing privileges can exploit this by crafting a link with a malicious javascript: payload during document creation or editing. When other users interact with the document and click the link, the payload executes arbitrary JavaScript in their browser context, potentially leading to session hijacking, data theft, or further compromise within the application's scope.
Mitigation is available in LaSuite Doc version 4.4.0, which addresses the URL validation flaw. Relevant resources include the fixing commit at https://github.com/suitenumerique/docs/commit/e807237dbedbc189230296b81c3aeccc1c04fa77, the release notes at https://github.com/suitenumerique/docs/releases/tag/v4.4.0, and the GitHub security advisory at https://github.com/suitenumerique/docs/security/advisories/GHSA-4rwv-ghwh-9rv6. Security practitioners should prioritize upgrading affected instances and review editing permissions.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2857
Vulnerability details
LaSuite Doc is a collaborative note taking, wiki and documentation platform. From 3.8.0 to 4.3.0, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Interlinking feature. When a user creates a link to another document within the editor, the URL…
more
of that link is not validated. An attacker with document editing privileges can inject a malicious javascript: URL that executes arbitrary code when other users click on the link. This vulnerability is fixed in 4.4.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS directly enables browser JS execution (T1059.007) and session hijacking (T1185) via malicious link clicks; exploitation occurs against a public-facing web app (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the lack of URL validation in the Interlinking feature by requiring checks on user-supplied link URLs to block malicious javascript: schemes.
Filters or encodes output of stored links prior to rendering, preventing execution of injected javascript: payloads when users click them.
Ensures timely identification, reporting, and patching of the specific Stored XSS flaw fixed in LaSuite Doc version 4.4.0.