CVE-2026-23630
Unknown Unknown - Not Provided
Stored XSS in Docmost Mermaid Rendering Allows Remote Code Execution

Publication date: 2026-01-21

Last updated on: 2026-02-17

Assigner: GitHub, Inc.

Description
Docmost is open-source collaborative wiki and documentation software. In versions 0.3.0 through 0.23.2, Mermaid code block rendering is vulnerable to stored Cross-Site Scripting (XSS). The frontend can render attacker-controlled Mermaid diagrams using mermaid.render(), then inject the returned SVG/HTML into the DOM via dangerouslySetInnerHTML without sanitization. Mermaid per-diagram %%{init}%% directives allow overriding securityLevel and enabling htmlLabels, permitting arbitrary HTML/JS execution for any viewer. This issue has been fixed in version 0.24.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-21
Last Modified
2026-02-17
Generated
2026-06-16
AI Q&A
2026-01-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23630
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
docmost docmost From 0.3.0 (inc) to 0.24.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Docmost versions 0.3.0 through 0.23.2, where Mermaid code block rendering is vulnerable to stored Cross-Site Scripting (XSS). The frontend renders attacker-controlled Mermaid diagrams using mermaid.render(), then injects the returned SVG/HTML into the DOM via dangerouslySetInnerHTML without sanitization. Attackers can use Mermaid's %%{init}%% directives to override security settings and enable htmlLabels, allowing arbitrary HTML and JavaScript execution for any viewer.

Impact Analysis

This vulnerability can allow attackers to execute arbitrary HTML and JavaScript code in the context of the affected application for any user viewing the malicious Mermaid diagrams. This can lead to unauthorized actions, data theft, session hijacking, or other malicious activities impacting users and the integrity of the application.

Mitigation Strategies

Upgrade Docmost to version 0.24.0 or later, as this version contains the fix for the stored Cross-Site Scripting (XSS) vulnerability in Mermaid code block rendering.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23630. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart