← Back

CVE-2026-34213

nvd nist
Published: Apr 14, 2026Modified: Apr 22, 2026

JSON object

Loading...
5.4
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Exploitability: 2.8 / Impact: 2.5
Source: security-advisories@github.com (Secondary)

Description

Docmost is open-source collaborative wiki and documentation software. Starting in version 0.3.0 and prior to version 0.71.0, improper authorization in Docmost allows a low-privileged authenticated user to overwrite another page's attachment within the same workspace by supplying a victim `attachmentId` to `POST /api/files/upload`. This is a remote integrity issue requiring no victim interaction. Version 0.71.0 contains a patch.

Affected (1)

Products: Docmost: Docmost
Docmost
1 product
Docmost
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Docmost
From 0.3.0 to 0.71.0

Related CWEs

CWE-639
Authorization Bypass Through User-Controlled Key
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References (1)

Source: security-advisories@github.com
Vendor Advisory

Timeline

No history available yet.