CVE-2026-33193 MEDIUM

CVE-2026-33193: Docmost vulnerable to stored XSS via MIME type spoofing

Vendor Docmost
Product docmost
Weakness CWE-79 · XSS
Published April 14, 2026
Last update April 16, 2026

CVSS base score

4.6/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

Docmost is open-source collaborative wiki and documentation software. Versions prior to 0.70.0 are vulnerable to a stored cross-site scripting (XSS) attack due to improper handling of MIME type spoofing (GHSL-2026-052). An attacker could exploit this flaw to inject malicious scripts, potentially compromising the security of users and data. Version 0.70.0 contains a patch.

Key dates

02Disclosure timeline

April 14, 2026 CVE published
April 16, 2026 Record updated