Docmost wiki software: Malicious scripts can be injected via uploaded files

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

4.6

Docmost wiki software: Malicious scripts can be injected via uploaded files

CVE-2026-33193

Summary

Older versions of Docmost's collaborative wiki software are open to an attack where hackers can inject malicious code into the system. This could put users and their data at risk. Update to version 0.70.0 or later to fix this issue.

Original title

Original description

Docmost is open-source collaborative wiki and documentation software. Versions prior to 0.70.0 are vulnerable to a stored cross-site scripting (XSS) attack due to improper handling of MIME type spoofing (GHSL-2026-052). An attacker could exploit this flaw to inject malicious scripts, potentially compromising the security of users and data. Version 0.70.0 contains a patch.

nvd CVSS3.1 4.6

Vulnerability type

CWE-79 Cross-site Scripting (XSS)

https://github.com/docmost/docmost/security/advisories/GHSA-7cq4-577p-wp6p

Published: 14 Apr 2026 · Updated: 16 Apr 2026 · First seen: 14 Apr 2026