CVE-2026-24045 – Docmost versions before 0.25.0 have a stored XS... (How to Fix)

Q: What is the severity of CVE-2026-24045?

CVE-2026-24045 has a CVSS score of 7.3 (HIGH). Docmost versions before 0.25.0 have a stored XSS vulnerability in public share pages where page titles aren't properly HTML-escaped before insertion into meta and title tags. This allows attackers to inject malicious JavaScript that executes when users open shared links, potentially compromising user sessions and data. All Docmost instances running vulnerable versions with public sharing enabled are affected.

📋 TL;DR

Docmost versions before 0.25.0 have a stored XSS vulnerability in public share pages where page titles aren't properly HTML-escaped before insertion into meta and title tags. This allows attackers to inject malicious JavaScript that executes when users open shared links, potentially compromising user sessions and data. All Docmost instances running vulnerable versions with public sharing enabled are affected.

💻 Affected Systems

Products:

Docmost

Versions: All versions before 0.25.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires public share functionality to be enabled and used, which is a core feature of Docmost.

📦 What is this software?

Docmost by Docmost

View all CVEs affecting Docmost →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal admin session cookies, take over accounts, deface content, or redirect users to malicious sites, potentially leading to complete system compromise.

🟠

Likely Case

Attackers steal user session cookies to hijack accounts, inject malicious content, or perform actions on behalf of authenticated users.

🟢

If Mitigated

With proper input validation and output encoding, the attack surface is eliminated, preventing JavaScript execution from untrusted sources.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Attackers need to create or modify a shared page with malicious title, then trick users into opening the shared link.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.25.0

Vendor Advisory: https://github.com/docmost/docmost/security/advisories/GHSA-h7fp-4f37-29wq

Restart Required: Yes

Instructions:

1. Backup your Docmost instance. 2. Update to version 0.25.0 or later using your package manager or by downloading from GitHub releases. 3. Restart the Docmost service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Disable Public Sharing

all

Temporarily disable public share functionality to prevent exploitation while planning upgrade.

Modify Docmost configuration to disable public sharing feature

WAF Rule

all

Implement Web Application Firewall rules to block XSS payloads in page titles.

Configure WAF to detect and block script tags and JavaScript in title parameters

🧯 If You Can't Patch

Implement strict Content Security Policy (CSP) headers to restrict script execution
Deploy a reverse proxy with XSS filtering for all public share URLs

🔍 How to Verify

Check if Vulnerable:

Check if Docmost version is below 0.25.0 and public sharing is enabled.

Check Version:

Check Docmost admin panel or run: grep -i version /path/to/docmost/config/files

Verify Fix Applied:

After updating to 0.25.0+, test that HTML tags in page titles are properly escaped in shared pages.

📡 Detection & Monitoring

Log Indicators:

Unusual characters or script tags in page title creation/modification logs
Multiple failed attempts to inject special characters in titles

Network Indicators:

HTTP requests with JavaScript payloads in title parameters
Unusual outbound connections from Docmost server after shared page access

SIEM Query:

source="docmost" AND (title="*<script>*" OR title="*javascript:*" OR title="*onerror=*" OR title="*onload=*")

📊 Metadata

CVE ID: CVE-2026-24045

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

CWE: CWE-79

Published: February 10, 2026

Last Updated: February 25, 2026

🔗 References

https://github.com/docmost/docmost/commit/f3f74c591f32f85b8aa9a98ed884a7dd455780f9 Patch
https://github.com/docmost/docmost/releases/tag/v0.25.0 Product,Release Notes
https://github.com/docmost/docmost/security/advisories/GHSA-h7fp-4f37-29wq Exploit,Third Party Advisory
https://github.com/docmost/docmost/security/advisories/GHSA-h7fp-4f37-29wq Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-24045, you might also want to check these: