Skip to main content

Outline CVE-2026-43888

| EUVDEUVD-2026-29332 HIGH
Path Traversal (CWE-22)
2026-05-11 GitHub_M
8.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.7 HIGH
AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
May 11, 2026 - 23:03 EUVD
CVE Published
May 11, 2026 - 21:09 nvd
HIGH 8.7

DescriptionGitHub Advisory

Outline is a service that allows for collaborative documentation. Prior to 1.7.0, ZipHelper.extract computes the extraction path for each entry by passing a full filesystem path through trimFileAndExt, a filename helper that calls path.basename on its input when truncating. When a zip entry's nested path is long enough to push the joined filesystem path over MAX_PATH_LENGTH (4096 bytes), trimFileAndExt silently drops all directory components and returns a bare filename. fs.createWriteStream then opens the file relative to the process working directory instead of inside the extraction sandbox, and the escaped file persists after import cleanup because cleanupExtractedData only removes the temporary extraction directory. This vulnerability is fixed in 1.7.0.

Analysis

Outline is a service that allows for collaborative documentation. Prior to 1.7.0, ZipHelper.extract computes the extraction path for each entry by passing a full filesystem path through trimFileAndExt, a filename helper that calls path.basename on its input when truncating. When a zip entry's nested path is long enough to push the joined filesystem path over MAX_PATH_LENGTH (4096 bytes), trimFileAndExt silently drops all directory components and returns a bare filename. fs.createWriteStream then opens the file relative to the process working directory instead of inside the extraction sandbox, and the escaped file persists after import cleanup because cleanupExtractedData only removes the temporary extraction directory. This vulnerability is fixed in 1.7.0.

CVE-2024-37829 HIGH POC
8.8 Jul 09

An issue in Outline <= v0.76.1 allows attackers to execute a session hijacking attack via user interaction with a crafte

CVE-2023-54331 HIGH POC
7.8 Jan 13

Outline versions up to - contains a vulnerability that allows attackers to potentially execute arbitrary code with eleva

CVE-2024-37830 MEDIUM POC
6.1 Jul 09

An issue in Outline <= v0.76.1 allows attackers to redirect a victim user to a malicious site via intercepting and chang

CVE-2026-25062 MEDIUM POC
5.5 Feb 11

Outline versions prior to 1.4.0 fail to validate attachment file paths during JSON import, allowing authenticated attack

CVE-2024-40626 MEDIUM POC
5.4 Jul 16

Outline is an open source, collaborative document editor. Rated medium severity (CVSS 5.4), this vulnerability is remote

CVE-2023-3532 MEDIUM POC
5.4 Jul 07

Cross-site Scripting (XSS) - Stored in GitHub repository outline/outline prior to 0.70.1. Rated medium severity (CVSS 5.

CVE-2022-2342 MEDIUM POC
5.4 Jul 07

Cross-site Scripting (XSS) - Stored in GitHub repository outline/outline prior to v0.64.4. Rated medium severity (CVSS 5

CVE-2026-33640 CRITICAL
9.1 Mar 26

Account takeover in Outline collaborative documentation service versions 0.86.0 through 1.5.x enables unauthenticated at

CVE-2026-43886 HIGH
8.2 May 11

Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.6.1, a logic error in OAuthInterface.

CVE-2026-24901 HIGH
8.1 Mar 17

An Insecure Direct Object Reference (IDOR) vulnerability in Outline's document restoration logic allows any authenticate

CVE-2026-43890 HIGH
7.7 May 11

Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.7.0, the subscriptions.create API end

CVE-2026-41649 HIGH
7.7 Apr 28

Outline is a service that allows for collaborative documentation. The `shares.create` API endpoint starting in version 0

Share

CVE-2026-43888 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy