CVE-2026-33193 PUBLISHED

Docmost vulnerable to stored XSS via MIME type spoofing

Assigner: GitHub_M
Reserved: 17.03.2026 Published: 14.04.2026 Updated: 14.04.2026

Docmost is open-source collaborative wiki and documentation software. Versions prior to 0.70.0 are vulnerable to a stored cross-site scripting (XSS) attack due to improper handling of MIME type spoofing (GHSL-2026-052). An attacker could exploit this flaw to inject malicious scripts, potentially compromising the security of users and data. Version 0.70.0 contains a patch.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
CVSS Score: 4.6

Product Status

Vendor docmost
Product docmost
Versions
  • Version < 0.70.0 is affected

References

Problem Types

  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE