CVE-2026-25642 MEDIUM

CVE-2026-25642: HedgeDoc security headers for uploaded files were not working

Vendor Hedgedoc

Product hedgedoc

Weakness CWE-79 · XSS

Published February 6, 2026

Last update February 6, 2026

View on NVD All CVEs

CVSS base score

4.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality None

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

HedgeDoc is an open source, real-time, collaborative, markdown notes application. Prior to 1.10.6, files served below the /uploads/ endpoint did not use a more strict security-policy. This resulted in a too open Content-Security-Policy and furthermore opened the possibility to host malicious interactive web content (such as fake login forms) using SVG files. This vulnerability is fixed in 1.10.6.

Key dates

02Disclosure timeline

February 6, 2026 CVE published

February 6, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-25642 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2026-32757 Admidio: HTMLPurifier Bypass in eCard Message Allows HTML Email Injection CVE-2023-0607 Cross-site Scripting (XSS) - Stored in projectsend/projectsend CVE-2025-23601 WordPress Tab My Content plugin <= 1.0.0 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2023-47660 WordPress Product Visibility by Country for WooCommerce Plugin <= 1.4.9 is vulnerable to Cross Site Scripting (XSS) CVE-2025-7653 EPay.bg Payments <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting