CVE-2026-25642

MEDIUM SEVERITY

CVSS Score & Metrics

Base Score

4.3 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N                                    

Vulnerability Description

HedgeDoc is an open source, real-time, collaborative, markdown notes application. Prior to 1.10.6, files served below the /uploads/ endpoint did not use a more strict security-policy. This resulted in a too open Content-Security-Policy and furthermore opened the possibility to host malicious interactive web content (such as fake login forms) using SVG files. This vulnerability is fixed in 1.10.6.

Vulnerability Details

Published Date

February 06, 2026

Last Modified

February 06, 2026

CWE ID

CWE-79

Source

NVD

Vendor

hedgedoc

Product

hedgedoc

External References

https://github.com/hedgedoc/hedgedoc/commit/74daa0e7a1cbfafd9aeb255eaf064dfe47cd401c
https://github.com/hedgedoc/hedgedoc/commit/b930fe04cee92cd4723044030bb59c36781c7137
https://github.com/hedgedoc/hedgedoc/releases/tag/1.10.6
https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-x74j-jmf9-534w

CVE-2026-25642

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment