CVE-2026-33193

MEDIUM 4.6

Docmost vulnerable to stored XSS via MIME type spoofing

CVSS Score

4.6

EPSS Score

0.0%

EPSS Percentile

8th

Docmost is open-source collaborative wiki and documentation software. Versions prior to 0.70.0 are vulnerable to a stored cross-site scripting (XSS) attack due to improper handling of MIME type spoofing (GHSL-2026-052). An attacker could exploit this flaw to inject malicious scripts, potentially compromising the security of users and data. Version 0.70.0 contains a patch.

CWE	CWE-79
Vendor	docmost
Product	docmost
Published	Apr 14, 2026
Last Updated	Apr 16, 2026

Stay Ahead of the Next One

Get instant alerts for docmost docmost

Be the first to know when new medium vulnerabilities affecting docmost docmost are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Affected Versions

docmost / docmost

< 0.70.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/docmost/docmost/security/advisories/GHSA-7cq4-577p-wp6p