Main Vulnerability Database Vulnerabilities #VU127927

Cross-site scripting in HedgeDoc - CVE-2026-25642

Published: April 25, 2026

Vulnerability identifier: #VU127927

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green

CVE-ID: CVE-2026-25642

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: HedgeDoc

Affected software:
HedgeDoc

Detailed vulnerability description

The vulnerability allows a remote attacker to host malicious interactive web content that can facilitate phishing.

The vulnerability exists due to cross-site scripting in the /uploads/ endpoint when serving uploaded SVG files without the intended security headers. A remote attacker can upload a specially crafted SVG file and directly link to it to host malicious interactive web content that can facilitate phishing.

This impacts instances using the filesystem backend for media uploads, and user interaction is required for a victim to open the link.

How to mitigate CVE-2026-25642

Install security update from vendor's website.

Sources

https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-x74j-jmf9-534w

Cross-site scripting in HedgeDoc - CVE-2026-25642

Detailed vulnerability description

How to mitigate CVE-2026-25642

Sources

Please verify you're human