CVE-2026-26028

Source
https://cve.org/CVERecord?id=CVE-2026-26028
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26028.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-26028
Aliases
Published
2026-05-20T18:51:43.643Z
Modified
2026-07-08T08:12:41.307791674Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
CryptPad: Sanitizer Bypass in Diffmarked.js Allows Arbitrary HTML Injection and Potential XSS
Details

CryptPad is an end-to-end encrypted collaborative office suite. In versions prior to 2026.2.0, the HTML sanitizer in Diffmarked.js can be bypassed due to incomplete attribute filtering on restricted tags. The sanitizer validates only the src attribute of <iframe>, <video>, and <audio> elements, leaving all other attributes unchecked. As a result, an attacker can inject arbitrary HTML through srcdoc, completely defeating CryptPad's intended bounce sandboxing and enabling link injection or other interactive content within user-controlled documents. The root cause lies in how the sanitizer classifies and enforces tag restrictions: although it defines both forbidden and restricted tag lists, <iframe> is treated as "restricted" rather than "forbidden." Enforcement then inspects only the src attribute, so pairing a benign blob: src with a malicious srcdoc results in unrestricted rendering. This issue has been fixed in version 2026.2.0.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/26xxx/CVE-2026-26028.json",
    "cwe_ids": [
        "CWE-116",
        "CWE-79"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/cryptpad/cryptpad

Affected ranges

Type
GIT
Repo
https://github.com/cryptpad/cryptpad
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2026.2.0"
        }
    ]
}

Affected versions

0.*
0.2.0
0.3.0
1.*
1.1.0
1.1.1
1.11.0
1.12.0
1.18.0
1.2.0
1.20.0
1.21.0
1.22.0
1.23.0
1.24.0
1.3.0
1.4.0
1.8.0
1.9.0
2.*
2.17.0
2.17.05
2.17.06
2.19.0
2.21.0
2.22.0
2024.*
2024.3.0
2024.3.1
2024.6.0
2025.*
2025.3.0
2025.3.1
2025.6.0
2025.9.0
3.*
3.10.0
3.14.0
3.15.0
3.18.0
3.18.1
3.20.1
3.23.0
3.23.1
3.23.2
3.3.0
3.7.0
3.8.0
3.9.0
4.*
4.4.0
4.5.0
4.6.0
4.7.0
4.8.0
5.*
5.2.0
5.2.1
5.3.0
5.4.0
5.5.0
5.6.0
5.7.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26028.json"