Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
Outline is a service that allows for collaborative documentation. Prior to 1.7.0, ZipHelper.extract computes the extraction path for each entry by passing a full filesystem path through trimFileAndExt, a filename helper that calls path.basename on its input when truncating. When a zip entry's nested path is long enough to push the joined filesystem path over MAX_PATH_LENGTH (4096 bytes), trimFileAndExt silently drops all directory components and returns a bare filename. fs.createWriteStream then opens the file relative to the process working directory instead of inside the extraction sandbox, and the escaped file persists after import cleanup because cleanupExtractedData only removes the temporary extraction directory. This vulnerability is fixed in 1.7.0.
Analysis
Outline is a service that allows for collaborative documentation. Prior to 1.7.0, ZipHelper.extract computes the extraction path for each entry by passing a full filesystem path through trimFileAndExt, a filename helper that calls path.basename on its input when truncating. When a zip entry's nested path is long enough to push the joined filesystem path over MAX_PATH_LENGTH (4096 bytes), trimFileAndExt silently drops all directory components and returns a bare filename. fs.createWriteStream then opens the file relative to the process working directory instead of inside the extraction sandbox, and the escaped file persists after import cleanup because cleanupExtractedData only removes the temporary extraction directory. This vulnerability is fixed in 1.7.0.
An issue in Outline <= v0.76.1 allows attackers to execute a session hijacking attack via user interaction with a crafte
Outline versions up to - contains a vulnerability that allows attackers to potentially execute arbitrary code with eleva
An issue in Outline <= v0.76.1 allows attackers to redirect a victim user to a malicious site via intercepting and chang
Outline versions prior to 1.4.0 fail to validate attachment file paths during JSON import, allowing authenticated attack
Outline is an open source, collaborative document editor. Rated medium severity (CVSS 5.4), this vulnerability is remote
Cross-site Scripting (XSS) - Stored in GitHub repository outline/outline prior to 0.70.1. Rated medium severity (CVSS 5.
Cross-site Scripting (XSS) - Stored in GitHub repository outline/outline prior to v0.64.4. Rated medium severity (CVSS 5
Account takeover in Outline collaborative documentation service versions 0.86.0 through 1.5.x enables unauthenticated at
Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.6.1, a logic error in OAuthInterface.
An Insecure Direct Object Reference (IDOR) vulnerability in Outline's document restoration logic allows any authenticate
Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.7.0, the subscriptions.create API end
Outline is a service that allows for collaborative documentation. The `shares.create` API endpoint starting in version 0
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29332