PatchSiren cyber security CVE debrief
CVE-2026-26028 cryptpad CVE debrief
CVE-2026-26028 affects CryptPad versions prior to 2026.2.0. The issue is an HTML sanitizer bypass in Diffmarked.js where restricted tags such as <iframe> are not fully validated: only the src attribute is checked, while other attributes are left unchecked. According to the supplied advisory text, this allows an attacker to pair a benign blob: src with a malicious srcdoc value, defeating CryptPad’s intended bounce sandboxing and enabling injected interactive content in user-controlled documents. The issue is fixed in CryptPad 2026.2.0.
- Vendor
- cryptpad
- Product
- Unknown
- CVSS
- MEDIUM 6.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-20
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-20
- Advisory updated
- 2026-05-21
Who should care
CryptPad administrators, self-hosted deployers, security teams reviewing collaborative document systems, and anyone relying on Diffmarked.js sanitization to constrain embedded HTML content should prioritize this fix.
Technical summary
The supplied record identifies a sanitizer design flaw in Diffmarked.js used by CryptPad. The sanitizer distinguishes between forbidden and restricted tags, but <iframe> is treated as restricted rather than forbidden. Enforcement then validates only src for <iframe>, <video>, and <audio>, leaving other attributes unchecked. For <iframe>, that means an attacker can supply a harmless src while using srcdoc to inject arbitrary HTML. NVD metadata classifies the issue as CVSS 3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, with CWE-79 and CWE-116 listed as primary weaknesses.
Defensive priority
High for any deployment that accepts untrusted or shared document content. The flaw is reachable through user interaction and can undermine HTML isolation expectations inside collaborative documents, so upgrading to the fixed CryptPad release should be treated as a prompt maintenance item.
Recommended defensive actions
- Upgrade CryptPad to version 2026.2.0 or later.
- Review any customizations or forks that reuse Diffmarked.js sanitization logic for similar tag/attribute filtering mistakes.
- Treat untrusted embedded HTML in collaborative documents as potentially unsafe until the patched version is deployed.
- Validate that your deployment process has actually rolled forward to the fixed release, especially in self-hosted environments.
- Monitor for unexpected embedded content patterns in shared documents while planning and verifying remediation.
Evidence notes
This debrief is based only on the supplied CVE record, NVD metadata, and the linked GitHub release/advisory references. The supplied description states that versions prior to 2026.2.0 are affected and that the issue is fixed in 2026.2.0. NVD metadata supplies the CVSS vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N and CWE-79/CWE-116 classifications. The publication timestamp used here is the supplied CVE publishedAt value: 2026-05-20T20:16:36.760Z.
Official resources
The CVE was published on 2026-05-20T20:16:36.760Z, per the supplied record. Use that CVE publication timestamp for timing context; do not substitute generation or review time.