Platform
nodejs
Component
docmost
Fixed in
0.24.1
CVE-2026-22249 describes an Arbitrary File Write vulnerability discovered in Docmost, an open-source collaborative wiki and documentation software. This flaw allows attackers to write arbitrary files via the Zip Import Feature, potentially leading to unauthorized modifications or code execution. The vulnerability impacts versions 0.21.0 through 0.23.9, and a fix is available in version 0.24.0.
The Arbitrary File Write vulnerability in Docmost poses a significant risk. An attacker could leverage this flaw to upload malicious files, such as web shells, which would grant them remote code execution on the server hosting Docmost. This could lead to complete compromise of the system, data exfiltration, and disruption of services. The ability to write arbitrary files also allows for modification of existing files, potentially corrupting the wiki's data or altering its functionality. Given Docmost's use as a documentation and collaboration platform, sensitive information stored within the wiki could be at risk.
CVE-2026-22249 was publicly disclosed on 2026-01-15. No known public exploits or active campaigns targeting this vulnerability have been reported as of this date. The vulnerability is not currently listed on the CISA KEV catalog. A public proof-of-concept is not yet available, but the vulnerability's nature suggests it could be relatively easy to exploit.
Exploit Status
EPSS
0.03% (8% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-22249 is to upgrade Docmost to version 0.24.0 or later, which includes the necessary fix. If upgrading immediately is not feasible, consider restricting file upload capabilities and implementing strict file type validation on the server-side. Review and audit the Zip Import Feature's code for any other potential vulnerabilities. Monitor Docmost logs for unusual file creation or modification activity. Implement a Web Application Firewall (WAF) with rules to block suspicious file upload attempts.
Actualice Docmost a la versión 0.24.0 o superior. Esta versión corrige la vulnerabilidad de escritura arbitraria de archivos (ZipSlip) al validar correctamente los nombres de archivo durante la importación de archivos ZIP. La actualización previene la posible ejecución de código malicioso mediante la manipulación de archivos.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-22249 is a HIGH severity vulnerability in Docmost versions 0.21.0 through 0.23.9 that allows attackers to write arbitrary files via the Zip Import Feature, potentially leading to code execution.
You are affected if you are running Docmost versions 0.21.0 through 0.23.9. Upgrade to version 0.24.0 or later to resolve the vulnerability.
Upgrade Docmost to version 0.24.0 or later. As a temporary workaround, restrict file upload capabilities and implement strict file type validation.
As of the current date, there are no reports of active exploitation targeting CVE-2026-22249.
Refer to the Docmost project's official website or security advisories for the latest information and updates regarding CVE-2026-22249.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.