CVE-2026-25642

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-25642

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25642.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-25642

Aliases

GHSA-x74j-jmf9-534w

Published

2026-02-06T19:23:59.991Z

Modified

2026-02-27T07:34:16.910737Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVSS Calculator

Summary

HedgeDoc security headers for uploaded files were not working

Details

HedgeDoc is an open source, real-time, collaborative, markdown notes application. Prior to 1.10.6, files served below the /uploads/ endpoint did not use a more strict security-policy. This resulted in a too open Content-Security-Policy and furthermore opened the possibility to host malicious interactive web content (such as fake login forms) using SVG files. This vulnerability is fixed in 1.10.6.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-79"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25642.json"
}

References

Affected packages

Git / github.com/hedgedoc/hedgedoc

Affected ranges

Type: GIT
Repo: https://github.com/hedgedoc/hedgedoc
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

145e3ee318ca0ed57598e18e405ff7229c8d74f8

Affected versions

0.*

0.4.0

0.4.1

0.4.2

0.4.3

0.4.4

0.4.5

0.4.6

0.5.0

1.*

1.0.0-ce

1.0.1-ce

1.1.0-ce

1.1.1-ce

1.10.0

1.10.1

1.10.2

1.10.4

1.10.5

1.2.0

1.2.1

1.3.0

1.3.1

1.3.2

1.4.0

1.5.0

1.6.0

1.7.0

1.7.0-rc1

1.7.0-rc2

1.7.1

1.7.2

1.8.0

1.8.0-rc1

1.8.1

1.8.2

1.9.0

1.9.0-rc1

1.9.1

1.9.2

1.9.3

1.9.4

1.9.5

1.9.6

1.9.7

1.9.8

1.9.9

v0.*

v0.3.3

v0.3.4

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25642.json"