Vulnerability Details CVE-2026-34212
Docmost is open-source collaborative wiki and documentation software. In versions prior to 0.71.0, improper neutralization of attachment URLs in Docmost allows a low-privileged authenticated user to store a malicious `javascript:` URL inside an attachment node in page content. When another user views the page and activates the attachment link/icon, attacker-controlled JavaScript executes in the context of the Docmost origin. Version 0.71.0 patches the issue.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 1.1%
CVSS Severity
CVSS v3 Score 5.4
Products affected by CVE-2026-34212
-
cpe:2.3:a:docmost:docmost:0.10.0
-
cpe:2.3:a:docmost:docmost:0.10.1
-
cpe:2.3:a:docmost:docmost:0.10.2
-
cpe:2.3:a:docmost:docmost:0.2.0
-
cpe:2.3:a:docmost:docmost:0.2.1
-
cpe:2.3:a:docmost:docmost:0.2.10
-
cpe:2.3:a:docmost:docmost:0.2.2
-
cpe:2.3:a:docmost:docmost:0.2.3
-
cpe:2.3:a:docmost:docmost:0.2.4
-
cpe:2.3:a:docmost:docmost:0.2.5
-
cpe:2.3:a:docmost:docmost:0.2.7
-
cpe:2.3:a:docmost:docmost:0.2.8
-
cpe:2.3:a:docmost:docmost:0.2.9
-
cpe:2.3:a:docmost:docmost:0.20.0
-
cpe:2.3:a:docmost:docmost:0.20.1
-
cpe:2.3:a:docmost:docmost:0.20.2
-
cpe:2.3:a:docmost:docmost:0.20.3
-
cpe:2.3:a:docmost:docmost:0.20.4
-
cpe:2.3:a:docmost:docmost:0.21.0
-
cpe:2.3:a:docmost:docmost:0.22.0
-
cpe:2.3:a:docmost:docmost:0.22.1
-
cpe:2.3:a:docmost:docmost:0.22.2
-
cpe:2.3:a:docmost:docmost:0.23.0
-
cpe:2.3:a:docmost:docmost:0.23.1
-
cpe:2.3:a:docmost:docmost:0.3.0
-
cpe:2.3:a:docmost:docmost:0.3.1
-
cpe:2.3:a:docmost:docmost:0.4.0
-
cpe:2.3:a:docmost:docmost:0.4.1
-
cpe:2.3:a:docmost:docmost:0.5.0
-
cpe:2.3:a:docmost:docmost:0.6.0
-
cpe:2.3:a:docmost:docmost:0.6.1
-
cpe:2.3:a:docmost:docmost:0.6.2
-
cpe:2.3:a:docmost:docmost:0.7.0
-
cpe:2.3:a:docmost:docmost:0.8.0
-
cpe:2.3:a:docmost:docmost:0.8.1
-
cpe:2.3:a:docmost:docmost:0.8.2
-
cpe:2.3:a:docmost:docmost:0.8.3
-
cpe:2.3:a:docmost:docmost:0.8.4
-
cpe:2.3:a:docmost:docmost:0.9.0