CVE-2026-43887

Name of the Vulnerable Software and Affected Versions Outline versions 0.84.0 through 1.6.1

Description The comment section allows users to mention other users, but the backend fails to validate or sanitize the href attribute associated with these mentions. This allows the use of dangerous protocols, such as javascript:, which can lead to client-side code execution via Cross-Site Scripting (XSS), a technique where malicious scripts are injected into trusted websites.

Recommendations Update to version 1.7.0.