CVE-2026-26028

Name of the Vulnerable Software and Affected Versions CryptPad versions prior to 2026.2.0

Description The HTML sanitizer in Diffmarked.js contains a flaw where it fails to properly filter attributes on restricted tags. While the sanitizer validates the src attribute for <iframe>, <video>, and <audio> elements, it does not check other attributes. This allows an attacker to inject arbitrary HTML using the srcdoc attribute, bypassing the intended bounce sandboxing and enabling link injection or other interactive content within user-controlled documents. The issue occurs because <iframe> is classified as a restricted tag rather than a forbidden one, and the enforcement mechanism only inspects the src attribute.

Recommendations Update to version 2026.2.0.