Cyber Resilience

CVE-2026-24045

HighPublic PoC

Published: 10 February 2026

Published
10 February 2026
Modified
14 April 2026
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
EPSS Score 0.0004 13.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24045 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Docmost Docmost. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2026-24045 is a Stored Cross-Site Scripting (XSS) vulnerability, classified under CWE-79, affecting Docmost, an open-source collaborative wiki and documentation software. The flaw impacts versions from 0.20.0 up to but not including 0.25.0. It stems from the public share page functionality failing to properly HTML-escape page titles before inserting them into meta tags and the title tag, with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N).

An authenticated attacker with low privileges (PR:L) can exploit this over the network (AV:N) with low complexity (AC:L), though it requires user interaction (UI:R) such as a victim opening a shared page link. Exploitation enables the execution of arbitrary JavaScript in the victim's browser context, compromising confidentiality and integrity (C:H/I:H) for any user accessing the link, with no impact on availability (A:N) and unchanged scope (S:U).

Docmost addressed this vulnerability in version 0.25.0. Mitigation involves upgrading to 0.25.0 or later. Details are provided in the GitHub security advisory (GHSA-h7fp-4f37-29wq), the fixing commit (f3f74c591f32f85b8aa9a98ed884a7dd455780f9), and the v0.25.0 release notes.

EU & UK References

Vulnerability details

Docmost is open-source collaborative wiki and documentation software. From 0.20.0 and before 0.25.0, the public share page functionality in Docmost does not properly HTML-escape page titles before inserting them into meta tags and the title tag. This allows Stored Cross-Site…

more

Scripting (XSS) attacks, where an attacker can execute arbitrary JavaScript in the context of any user who opens a shared page link. This vulnerability is fixed in 0.25.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

Stored XSS directly enables arbitrary JavaScript execution in victim browsers (T1059.007) after exploiting the public-facing web application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-22249Same product: Docmost Docmost
CVE-2026-3231Shared CWE-79
CVE-2025-23481Shared CWE-79
CVE-2025-69302Shared CWE-79
CVE-2025-23734Shared CWE-79
CVE-2025-23571Shared CWE-79
CVE-2025-65110Shared CWE-79
CVE-2026-24948Shared CWE-79
CVE-2025-27352Shared CWE-79
CVE-2025-30349Shared CWE-79

Affected Assets

docmost
docmost
0.20.0 — 0.25.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation and sanitization of untrusted input (page titles) before it is rendered into HTML contexts, directly blocking the stored XSS payload insertion.

prevent

Mandates filtering or encoding of information output into web pages (meta and title tags), preventing the unescaped attacker-controlled content from executing as JavaScript.

preventdetect

Provides malicious-code detection and blocking mechanisms that can identify and stop execution of injected scripts delivered via the shared-page XSS vector.

References