CVE-2026-24045
Published: 10 February 2026
Summary
CVE-2026-24045 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Docmost Docmost. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2026-24045 is a Stored Cross-Site Scripting (XSS) vulnerability, classified under CWE-79, affecting Docmost, an open-source collaborative wiki and documentation software. The flaw impacts versions from 0.20.0 up to but not including 0.25.0. It stems from the public share page functionality failing to properly HTML-escape page titles before inserting them into meta tags and the title tag, with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N).
An authenticated attacker with low privileges (PR:L) can exploit this over the network (AV:N) with low complexity (AC:L), though it requires user interaction (UI:R) such as a victim opening a shared page link. Exploitation enables the execution of arbitrary JavaScript in the victim's browser context, compromising confidentiality and integrity (C:H/I:H) for any user accessing the link, with no impact on availability (A:N) and unchanged scope (S:U).
Docmost addressed this vulnerability in version 0.25.0. Mitigation involves upgrading to 0.25.0 or later. Details are provided in the GitHub security advisory (GHSA-h7fp-4f37-29wq), the fixing commit (f3f74c591f32f85b8aa9a98ed884a7dd455780f9), and the v0.25.0 release notes.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-6768
Vulnerability details
Docmost is open-source collaborative wiki and documentation software. From 0.20.0 and before 0.25.0, the public share page functionality in Docmost does not properly HTML-escape page titles before inserting them into meta tags and the title tag. This allows Stored Cross-Site…
more
Scripting (XSS) attacks, where an attacker can execute arbitrary JavaScript in the context of any user who opens a shared page link. This vulnerability is fixed in 0.25.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS directly enables arbitrary JavaScript execution in victim browsers (T1059.007) after exploiting the public-facing web application (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation and sanitization of untrusted input (page titles) before it is rendered into HTML contexts, directly blocking the stored XSS payload insertion.
Mandates filtering or encoding of information output into web pages (meta and title tags), preventing the unescaped attacker-controlled content from executing as JavaScript.
Provides malicious-code detection and blocking mechanisms that can identify and stop execution of injected scripts delivered via the shared-page XSS vector.