CVE-2026-26028
Deferred Deferred - Pending Action
HTML Sanitizer Bypass in CryptPad via srcdoc Injection

Publication date: 2026-05-20

Last updated on: 2026-05-20

Assigner: GitHub, Inc.

Description
CryptPad is an end-to-end encrypted collaborative office suite. In versions prior to 2026.2.0, the HTML sanitizer in Diffmarked.js can be bypassed due to incomplete attribute filtering on restricted tags. The sanitizer validates only the src attribute of <iframe>, <video>, and <audio> elements, leaving all other attributes unchecked. As a result, an attacker can inject arbitrary HTML through srcdoc, completely defeating CryptPad's intended bounce sandboxing and enabling link injection or other interactive content within user-controlled documents. The root cause lies in how the sanitizer classifies and enforces tag restrictions: although it defines both forbidden and restricted tag lists, <iframe> is treated as "restricted" rather than "forbidden." Enforcement then inspects only the src attribute, so pairing a benign blob: src with a malicious srcdoc results in unrestricted rendering. This issue has been fixed in version 2026.2.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-20
Last Modified
2026-05-20
Generated
2026-06-10
AI Q&A
2026-05-20
EPSS Evaluated
2026-06-08
NVD
CVE-2026-26028
EUVD
EUVD-2026-31154
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
cryptpad cryptpad to 5.9.0 (exc)
cryptpad cryptpad 2026.2.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-26028 is a vulnerability in CryptPad's HTML sanitizer located in Diffmarked.js. The sanitizer is supposed to filter HTML attributes on certain restricted tags like <iframe>, <video>, and <audio>. However, it only validates the src attribute and ignores other attributes such as srcdoc.

Because of this incomplete filtering, an attacker can inject arbitrary HTML content through the srcdoc attribute, bypassing the intended sandboxing protections. This allows malicious interactive content or links to be embedded within user-controlled documents.

The root cause is that the sanitizer treats <iframe> as a restricted tag rather than a forbidden one, so it only inspects the src attribute. Pairing a benign src with a malicious srcdoc results in unrestricted rendering of harmful content.

This vulnerability was fixed in CryptPad version 2026.2.0.

Impact Analysis

This vulnerability can allow an attacker to inject arbitrary HTML content into CryptPad documents, potentially leading to Cross-Site Scripting (XSS) attacks.

Such injected content could include malicious links or interactive elements that deceive users, compromising the confidentiality and integrity of data.

The attack can be performed remotely over the network without requiring privileges, but it does require user interaction to trigger.

The CVSS score for this vulnerability is 6.1 (Moderate severity), reflecting the potential impact on confidentiality and integrity but no impact on availability.

Detection Guidance

This vulnerability involves the injection of arbitrary HTML through the srcdoc attribute in <iframe> elements within CryptPad documents. Detection would involve inspecting user-generated content or network traffic for suspicious <iframe> tags that include a benign src attribute paired with a malicious srcdoc attribute.

Since the vulnerability is related to HTML content sanitization bypass, detection on the system or network could include searching for HTML payloads containing <iframe> tags with srcdoc attributes.

  • Use grep or similar tools to scan stored documents or logs for occurrences of <iframe> tags with srcdoc attributes, e.g., grep -r '<iframe[^>]*srcdoc=' /path/to/cryptpad/data
  • Monitor network traffic for HTTP requests or responses containing suspicious <iframe> tags with srcdoc attributes using tools like Wireshark or tcpdump with filters for HTTP payloads.
  • Use content inspection commands or scripts to parse and analyze HTML content for iframe tags that have srcdoc attributes, which should not be present or allowed.
Mitigation Strategies

The primary mitigation step is to upgrade CryptPad to version 2026.2.0 or later, where this vulnerability has been fixed.

Until the upgrade can be applied, restrict user input that can include <iframe> tags with srcdoc attributes or disable features that allow embedding such content.

Educate users to avoid interacting with suspicious links or content that could exploit this vulnerability, as it requires user interaction.

Compliance Impact

The vulnerability in CryptPad's HTML sanitizer allows arbitrary HTML injection, which can lead to Cross-Site Scripting (XSS) attacks. Such attacks pose risks to the confidentiality and integrity of user data.

Because this vulnerability can compromise data confidentiality and integrity, it may impact compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access or manipulation.

However, the provided information does not explicitly discuss compliance implications or specific regulatory impacts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26028. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart