SB20260425211 - Multiple vulnerabilities in HedgeDoc

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Cross-site scripting (CVE-ID: N/A)

The vulnerability allows a remote user to execute JavaScript in the context of the instance's domain.

The vulnerability exists due to improper neutralization of input during web page generation in SVG upload handling when including an uploaded SVG file into a note using iframe tags. A remote user can upload a specially crafted SVG file and include it in a note to execute JavaScript in the context of the instance's domain.

This impacts instances with SVG uploading enabled, especially when using the local filesystem backend.

2) Cross-site scripting (CVE-ID: CVE-2026-25642)

The vulnerability allows a remote attacker to host malicious interactive web content that can facilitate phishing.

The vulnerability exists due to cross-site scripting in the /uploads/ endpoint when serving uploaded SVG files without the intended security headers. A remote attacker can upload a specially crafted SVG file and directly link to it to host malicious interactive web content that can facilitate phishing.

This impacts instances using the filesystem backend for media uploads, and user interaction is required for a victim to open the link.

Remediation

Install update from vendor's website.

References

• https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-672m-p72w-gw28
• https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-x74j-jmf9-534w