CVE-2026-34212

Name of the Vulnerable Software and Affected Versions Docmost versions prior to 0.71.0

Description Improper neutralization of attachment URLs allows a low-privileged authenticated user to store a malicious javascript: URL inside an attachment node in page content. When another user views the page and activates the attachment link or icon, attacker-controlled JavaScript executes in the context of the Docmost origin. This is a Stored Cross-Site Scripting (XSS) issue, where a script is permanently stored on the target server and executed in the victim's browser.

Recommendations Update to version 0.71.0.