Vulnerability Details CVE-2026-23630
Docmost is open-source collaborative wiki and documentation software. In versions 0.3.0 through 0.23.2, Mermaid code block rendering is vulnerable to stored Cross-Site Scripting (XSS). The frontend can render attacker-controlled Mermaid diagrams using mermaid.render(), then inject the returned SVG/HTML into the DOM via dangerouslySetInnerHTML without sanitization. Mermaid per-diagram %%{init}%% directives allow overriding securityLevel and enabling htmlLabels, permitting arbitrary HTML/JS execution for any viewer. This issue has been fixed in version 0.24.0.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 20.8%
CVSS Severity
CVSS v3 Score 5.4
References
Products affected by CVE-2026-23630
-
cpe:2.3:a:docmost:docmost:0.10.0
-
cpe:2.3:a:docmost:docmost:0.10.1
-
cpe:2.3:a:docmost:docmost:0.10.2
-
cpe:2.3:a:docmost:docmost:0.20.0
-
cpe:2.3:a:docmost:docmost:0.20.1
-
cpe:2.3:a:docmost:docmost:0.20.2
-
cpe:2.3:a:docmost:docmost:0.20.3
-
cpe:2.3:a:docmost:docmost:0.20.4
-
cpe:2.3:a:docmost:docmost:0.21.0
-
cpe:2.3:a:docmost:docmost:0.22.0
-
cpe:2.3:a:docmost:docmost:0.22.1
-
cpe:2.3:a:docmost:docmost:0.22.2
-
cpe:2.3:a:docmost:docmost:0.23.0
-
cpe:2.3:a:docmost:docmost:0.23.1
-
cpe:2.3:a:docmost:docmost:0.3.0
-
cpe:2.3:a:docmost:docmost:0.3.1
-
cpe:2.3:a:docmost:docmost:0.4.0
-
cpe:2.3:a:docmost:docmost:0.4.1
-
cpe:2.3:a:docmost:docmost:0.5.0
-
cpe:2.3:a:docmost:docmost:0.6.0
-
cpe:2.3:a:docmost:docmost:0.6.1
-
cpe:2.3:a:docmost:docmost:0.6.2
-
cpe:2.3:a:docmost:docmost:0.7.0
-
cpe:2.3:a:docmost:docmost:0.8.0
-
cpe:2.3:a:docmost:docmost:0.8.1
-
cpe:2.3:a:docmost:docmost:0.8.2
-
cpe:2.3:a:docmost:docmost:0.8.3
-
cpe:2.3:a:docmost:docmost:0.8.4
-
cpe:2.3:a:docmost:docmost:0.9.0