CVE-2026-25642

Name of the Vulnerable Software and Affected Versions HedgeDoc versions prior to 1.10.6

Description HedgeDoc is a real-time, collaborative, markdown notes application. Versions before 1.10.6 had a permissive Content-Security-Policy for files served under the /uploads/ endpoint. This allowed for the hosting of malicious interactive web content, such as fake login forms, using SVG files. The /uploads/ API endpoint was affected.

Recommendations Update to version 1.10.6 or later.