Vulnerability Details CVE-2026-34213
Docmost is open-source collaborative wiki and documentation software. Starting in version 0.3.0 and prior to version 0.71.0, improper authorization in Docmost allows a low-privileged authenticated user to overwrite another page's attachment within the same workspace by supplying a victim `attachmentId` to `POST /api/files/upload`. This is a remote integrity issue requiring no victim interaction. Version 0.71.0 contains a patch.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 12.1%
CVSS Severity
CVSS v3 Score 5.4
Products affected by CVE-2026-34213
-
cpe:2.3:a:docmost:docmost:0.10.0
-
cpe:2.3:a:docmost:docmost:0.10.1
-
cpe:2.3:a:docmost:docmost:0.10.2
-
cpe:2.3:a:docmost:docmost:0.20.0
-
cpe:2.3:a:docmost:docmost:0.20.1
-
cpe:2.3:a:docmost:docmost:0.20.2
-
cpe:2.3:a:docmost:docmost:0.20.3
-
cpe:2.3:a:docmost:docmost:0.20.4
-
cpe:2.3:a:docmost:docmost:0.21.0
-
cpe:2.3:a:docmost:docmost:0.22.0
-
cpe:2.3:a:docmost:docmost:0.22.1
-
cpe:2.3:a:docmost:docmost:0.22.2
-
cpe:2.3:a:docmost:docmost:0.23.0
-
cpe:2.3:a:docmost:docmost:0.23.1
-
cpe:2.3:a:docmost:docmost:0.3.0
-
cpe:2.3:a:docmost:docmost:0.3.1
-
cpe:2.3:a:docmost:docmost:0.4.0
-
cpe:2.3:a:docmost:docmost:0.4.1
-
cpe:2.3:a:docmost:docmost:0.5.0
-
cpe:2.3:a:docmost:docmost:0.6.0
-
cpe:2.3:a:docmost:docmost:0.6.1
-
cpe:2.3:a:docmost:docmost:0.6.2
-
cpe:2.3:a:docmost:docmost:0.7.0
-
cpe:2.3:a:docmost:docmost:0.8.0
-
cpe:2.3:a:docmost:docmost:0.8.1
-
cpe:2.3:a:docmost:docmost:0.8.2
-
cpe:2.3:a:docmost:docmost:0.8.3
-
cpe:2.3:a:docmost:docmost:0.8.4
-
cpe:2.3:a:docmost:docmost:0.9.0