Main Vulnerability Database Vulnerabilities #VU127926

Cross-site scripting in HedgeDoc - #VU127926

Published: April 25, 2026

Vulnerability identifier: #VU127926

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: HedgeDoc

Affected software:
HedgeDoc

Detailed vulnerability description

The vulnerability allows a remote user to execute JavaScript in the context of the instance's domain.

The vulnerability exists due to improper neutralization of input during web page generation in SVG upload handling when including an uploaded SVG file into a note using iframe tags. A remote user can upload a specially crafted SVG file and include it in a note to execute JavaScript in the context of the instance's domain.

This impacts instances with SVG uploading enabled, especially when using the local filesystem backend.

Remediation

Install security update from vendor's website.

Sources

https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-672m-p72w-gw28

Cross-site scripting in HedgeDoc - #VU127926

Detailed vulnerability description

Remediation

Sources

Please verify you're human