Skip to main content

Hedgedoc

16 CVEs product

Monthly

CVE-2026-58489 MEDIUM This Month

HedgeDoc's GitHub Gist export feature exposes private and protected note content to attacker-controlled GitHub accounts via OAuth2 state parameter forgery. Versions prior to 1.11.0 generated an OAuth2 state token during the Gist export flow but validated only its presence - not its binding to the initiating user session - enabling a cross-site request forgery attack. An attacker who tricks a logged-in victim into clicking a crafted callback URL can redirect the victim's note export to the attacker's own GitHub Gist, bypassing any note visibility controls. No public exploit code or CISA KEV listing is identified at time of analysis, but a confirmed patch exists in version 1.11.0.

CSRF Hedgedoc
NVD GitHub
CVSS 4.0
6.8
EPSS
0.1%
CVE-2026-58486 HIGH This Week

Denial of service in HedgeDoc before 1.11.0 lets a user who can store a note crash the instance by embedding a YAML "alias bomb" in the note frontmatter. Because HedgeDoc parsed frontmatter with the unsafe js-yaml v3 load (via @hedgedoc/meta-marked) and resolved anchor aliases, a compact ten-level payload expands into a massive object that blocks the single Node.js event loop for roughly 235 seconds on every request to the publish view (/s/<shortid>) or, under the opengraph key, the editor view (/<noteId>). No public exploit has been identified at time of analysis and the flaw is not in CISA KEV, but the stored payload persists in the database and re-triggers after process restarts, making outages durable until the note is deleted.

Node.js Denial Of Service Hedgedoc
NVD GitHub
CVSS 4.0
8.3
EPSS
0.2%
CVE-2026-58487 MEDIUM This Month

Stored HTML injection in HedgeDoc prior to 1.11.0 allows low-privileged, registered attackers to inject arbitrary HTML into publish views, slide views, and the collaborative editor by registering an email address with an RFC 5321 quoted-string local-part, which is then rendered as the display name without output encoding. Victims who view affected pages are exposed to content manipulation and attacker-controlled cross-origin iframe embedding; direct JavaScript execution is mitigated by the deployed Content-Security-Policy, but phishing, UI redressing, and resource injection remain viable. No public exploit code has been identified at time of analysis, and no KEV listing exists; the fix is available in version 1.11.0.

XSS Hedgedoc
NVD GitHub
CVSS 4.0
5.1
EPSS
0.4%
CVE-2026-58488 MEDIUM This Month

Rate-limiting bypass in HedgeDoc prior to 1.11.0 permits unauthenticated remote attackers to circumvent brute-force protections on the /login and /register endpoints by injecting arbitrary cf-connecting-ip headers, cycling apparent source IPs per request. This enables unlimited credential-stuffing attacks against login and bulk registration of throwaway accounts. No public exploit code identified at time of analysis; the issue is confirmed fixed in version 1.11.0 per the vendor's GitHub Security Advisory.

Authentication Bypass Hedgedoc
NVD GitHub
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-25642 MEDIUM PATCH This Month

HedgeDoc prior to version 1.10.6 allows attackers to bypass content security policies on files served from the /uploads/ endpoint, enabling them to host malicious interactive content such as fake login forms via SVG files. This network-based attack requires user interaction but can lead to credential theft or social engineering attacks. A patch is available in version 1.10.6.

File Upload XSS Hedgedoc
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-32391 MEDIUM PATCH This Month

HedgeDoc is an open source, real-time, collaborative, markdown notes application. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Hedgedoc
NVD GitHub
CVSS 3.1
6.4
EPSS
0.1%
CVE-2024-45308 MEDIUM POC PATCH This Month

HedgeDoc is an open source, real-time, collaborative, markdown notes application. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Denial Of Service Hedgedoc
NVD GitHub
CVSS 3.1
6.5
EPSS
0.6%
CVE-2023-38487 HIGH POC PATCH This Week

HedgeDoc is software for creating real-time collaborative markdown notes. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Hedgedoc
NVD GitHub
CVSS 3.1
8.2
EPSS
0.7%
CVE-2022-24837 MEDIUM PATCH This Month

HedgeDoc is an open-source, web-based, self-hosted, collaborative markdown editor. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Hedgedoc
NVD GitHub
CVSS 3.1
5.3
EPSS
1.1%
CVE-2021-39175 MEDIUM PATCH This Month

HedgeDoc is a platform to write and share markdown. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

RCE Hedgedoc
NVD GitHub
CVSS 3.1
6.1
EPSS
0.6%
CVE-2021-29503 MEDIUM PATCH This Month

HedgeDoc is a platform to write and share markdown. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Hedgedoc
NVD GitHub
CVSS 3.1
6.1
EPSS
1.0%
CVE-2021-29474 MEDIUM POC This Month

HedgeDoc (formerly known as CodiMD) is an open-source collaborative markdown editor. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Hedgedoc
NVD GitHub
CVSS 3.1
5.8
EPSS
1.6%
CVE-2021-29475 CRITICAL PATCH Act Now

HedgeDoc (formerly known as CodiMD) is an open-source collaborative markdown editor. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

Docker RCE Code Injection Hedgedoc
NVD GitHub
CVSS 3.1
10.0
EPSS
1.2%
CVE-2021-21259 MEDIUM POC PATCH This Month

HedgeDoc is open source software which lets you create real-time collaborative markdown notes. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Hedgedoc
NVD GitHub
CVSS 3.1
6.1
EPSS
1.4%
CVE-2020-26287 HIGH POC PATCH This Week

HedgeDoc is a collaborative platform for writing and sharing markdown. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Google Hedgedoc
NVD GitHub
CVSS 3.1
8.7
EPSS
1.4%
CVE-2020-26286 HIGH PATCH This Week

HedgeDoc is a collaborative platform for writing and sharing markdown. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

File Upload PHP Hedgedoc
NVD GitHub
CVSS 3.1
7.5
EPSS
1.4%
EPSS 0% CVSS 6.8
MEDIUM This Month

HedgeDoc's GitHub Gist export feature exposes private and protected note content to attacker-controlled GitHub accounts via OAuth2 state parameter forgery. Versions prior to 1.11.0 generated an OAuth2 state token during the Gist export flow but validated only its presence - not its binding to the initiating user session - enabling a cross-site request forgery attack. An attacker who tricks a logged-in victim into clicking a crafted callback URL can redirect the victim's note export to the attacker's own GitHub Gist, bypassing any note visibility controls. No public exploit code or CISA KEV listing is identified at time of analysis, but a confirmed patch exists in version 1.11.0.

CSRF Hedgedoc
NVD GitHub
EPSS 0% CVSS 8.3
HIGH This Week

Denial of service in HedgeDoc before 1.11.0 lets a user who can store a note crash the instance by embedding a YAML "alias bomb" in the note frontmatter. Because HedgeDoc parsed frontmatter with the unsafe js-yaml v3 load (via @hedgedoc/meta-marked) and resolved anchor aliases, a compact ten-level payload expands into a massive object that blocks the single Node.js event loop for roughly 235 seconds on every request to the publish view (/s/<shortid>) or, under the opengraph key, the editor view (/<noteId>). No public exploit has been identified at time of analysis and the flaw is not in CISA KEV, but the stored payload persists in the database and re-triggers after process restarts, making outages durable until the note is deleted.

Node.js Denial Of Service Hedgedoc
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM This Month

Stored HTML injection in HedgeDoc prior to 1.11.0 allows low-privileged, registered attackers to inject arbitrary HTML into publish views, slide views, and the collaborative editor by registering an email address with an RFC 5321 quoted-string local-part, which is then rendered as the display name without output encoding. Victims who view affected pages are exposed to content manipulation and attacker-controlled cross-origin iframe embedding; direct JavaScript execution is mitigated by the deployed Content-Security-Policy, but phishing, UI redressing, and resource injection remain viable. No public exploit code has been identified at time of analysis, and no KEV listing exists; the fix is available in version 1.11.0.

XSS Hedgedoc
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM This Month

Rate-limiting bypass in HedgeDoc prior to 1.11.0 permits unauthenticated remote attackers to circumvent brute-force protections on the /login and /register endpoints by injecting arbitrary cf-connecting-ip headers, cycling apparent source IPs per request. This enables unlimited credential-stuffing attacks against login and bulk registration of throwaway accounts. No public exploit code identified at time of analysis; the issue is confirmed fixed in version 1.11.0 per the vendor's GitHub Security Advisory.

Authentication Bypass Hedgedoc
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

HedgeDoc prior to version 1.10.6 allows attackers to bypass content security policies on files served from the /uploads/ endpoint, enabling them to host malicious interactive content such as fake login forms via SVG files. This network-based attack requires user interaction but can lead to credential theft or social engineering attacks. A patch is available in version 1.10.6.

File Upload XSS Hedgedoc
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

HedgeDoc is an open source, real-time, collaborative, markdown notes application. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Hedgedoc
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM POC PATCH This Month

HedgeDoc is an open source, real-time, collaborative, markdown notes application. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Denial Of Service Hedgedoc
NVD GitHub
EPSS 1% CVSS 8.2
HIGH POC PATCH This Week

HedgeDoc is software for creating real-time collaborative markdown notes. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Hedgedoc
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

HedgeDoc is an open-source, web-based, self-hosted, collaborative markdown editor. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Hedgedoc
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

HedgeDoc is a platform to write and share markdown. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

RCE Hedgedoc
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

HedgeDoc is a platform to write and share markdown. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Hedgedoc
NVD GitHub
EPSS 2% CVSS 5.8
MEDIUM POC This Month

HedgeDoc (formerly known as CodiMD) is an open-source collaborative markdown editor. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Hedgedoc
NVD GitHub
EPSS 1% CVSS 10.0
CRITICAL PATCH Act Now

HedgeDoc (formerly known as CodiMD) is an open-source collaborative markdown editor. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

Docker RCE Code Injection +1
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM POC PATCH This Month

HedgeDoc is open source software which lets you create real-time collaborative markdown notes. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Hedgedoc
NVD GitHub
EPSS 1% CVSS 8.7
HIGH POC PATCH This Week

HedgeDoc is a collaborative platform for writing and sharing markdown. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Google Hedgedoc
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

HedgeDoc is a collaborative platform for writing and sharing markdown. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

File Upload PHP Hedgedoc
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy