CVE-2026-23630 – This stored XSS vulnerability in Docmost allows... (How to Fix)

Q: What is the severity of CVE-2026-23630?

CVE-2026-23630 has a CVSS score of 5.4 (MEDIUM). This stored XSS vulnerability in Docmost allows attackers to inject malicious Mermaid diagram code that executes arbitrary JavaScript when viewed. Any user who can create or edit content in affected versions can exploit this against all viewers. The vulnerability affects all installations running Docmost versions 0.3.0 through 0.23.2.

📋 TL;DR

This stored XSS vulnerability in Docmost allows attackers to inject malicious Mermaid diagram code that executes arbitrary JavaScript when viewed. Any user who can create or edit content in affected versions can exploit this against all viewers. The vulnerability affects all installations running Docmost versions 0.3.0 through 0.23.2.

💻 Affected Systems

Products:

Docmost

Versions: 0.3.0 through 0.23.2

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All installations with Mermaid diagram rendering enabled are vulnerable. The vulnerability requires content creation/edit permissions to exploit.

📦 What is this software?

Docmost by Docmost

View all CVEs affecting Docmost →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover, data theft, or malware deployment affecting all users who view compromised documentation pages.

🟠

Likely Case

Session hijacking, credential theft, or unauthorized actions performed in the context of logged-in users viewing malicious content.

🟢

If Mitigated

Limited impact if proper content security policies and input validation are in place, though the core vulnerability remains exploitable.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires content creation/edit permissions. The advisory includes technical details that make weaponization straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.24.0

Vendor Advisory: https://github.com/docmost/docmost/security/advisories/GHSA-r4hj-mc62-jmwj

Restart Required: Yes

Instructions:

1. Backup your Docmost instance. 2. Update to version 0.24.0 or later using your package manager or deployment method. 3. Restart the Docmost service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Disable Mermaid rendering

all

Temporarily disable Mermaid diagram rendering to prevent exploitation while planning upgrade.

Modify configuration to disable Mermaid integration or remove Mermaid-related code blocks

Implement Content Security Policy

all

Add strict CSP headers to limit script execution from untrusted sources.

Add 'Content-Security-Policy' header with script-src restrictions

🧯 If You Can't Patch

Restrict content creation and editing permissions to trusted users only
Implement web application firewall rules to block suspicious Mermaid diagram content

🔍 How to Verify

Check if Vulnerable:

Check if running Docmost version 0.3.0 through 0.23.2. Test by creating a Mermaid diagram with malicious %%{init}%% directives.

Check Version:

Check package.json or deployment configuration for Docmost version

Verify Fix Applied:

Confirm version is 0.24.0 or later. Test that malicious Mermaid diagrams no longer execute JavaScript.

📡 Detection & Monitoring

Log Indicators:

Unusual Mermaid diagram creation patterns
Multiple failed diagram rendering attempts
Suspicious %%{init}%% directives in content

Network Indicators:

Unexpected external script loads from documentation pages
Suspicious POST requests to content endpoints with Mermaid code

SIEM Query:

source="docmost" AND (message="*%%{init}%%*" OR message="*securityLevel*" OR message="*htmlLabels*")

📊 Metadata

CVE ID: CVE-2026-23630

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.07% exploit probability (20.8th percentile)

Published: January 21, 2026

Last Updated: February 17, 2026

🔗 References

https://github.com/docmost/docmost/commit/cb9f27da9a8b4940760e37e5238a1eb91e427daf Patch
https://github.com/docmost/docmost/releases/tag/v0.24.0 Product,Release Notes
https://github.com/docmost/docmost/security/advisories/GHSA-r4hj-mc62-jmwj Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-23630, you might also want to check these: