Primary

Context

Docmost Cross-Page Attachment Overwrite Vulnerability

Vulnerability

A remote integrity vulnerability has been identified in Docmost, an open-source collaborative wiki and documentation software. This issue affects versions 0.3.0 prior to 0.71.0. The vulnerability arises from improper authorization, allowing low-privileged authenticated users to overwrite attachments on another page within the same workspace. Exploitation involves sending a victim's attachment ID to the 'POST /api/files/upload' endpoint. Notably, this issue requires no interaction from the victim.

Impact

Exploitation of this vulnerability allows for unauthorized overwriting of attachments, potentially leading to loss or corruption of data.

Remediation

Users can upgrade to Docmost version 0.71.0 or later to address this vulnerability.

Added: Apr 15, 2026, 12:30 AM

Updated: Apr 15, 2026, 12:30 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

5.2

remediation

0.0

relevance

5.9

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

5.2

remediation

0.0

relevance

5.9

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Docmost Cross-Page Attachment Overwrite Vulnerability

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating