PatchSiren cyber security CVE debrief
CVE-2026-58486 hedgedoc CVE debrief
CVE-2026-58486 is a high-severity vulnerability in HedgeDoc, an open-source, real-time, collaborative markdown notes application. The issue, caused by unsafe processing of note frontmatter, allows for a YAML alias bomb attack, which can lead to a denial of service (DoS). The vulnerability exists due to the use of js-yaml.load (js-yaml v3) via @hedgedoc/meta-marked, which resolves YAML anchor aliases. A compact malicious payload can expand into a huge object structure, consuming excessive CPU. This expansion occurs on every request to the publish view (/s/<shortid>) and, when placed under the opengraph key, the editor view (/<noteId>). A ten-level alias bomb can block the single Node.js event loop for roughly 235 seconds per request, causing concurrent requests to hang or drop and rendering the instance unavailable (DoS). The note was stored in the database, so the impact survived process restarts until the note was removed.
- Vendor
- hedgedoc
- Product
- Unknown
- CVSS
- HIGH 8.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-13
- Original CVE updated
- 2026-07-13
- Advisory published
- 2026-07-13
- Advisory updated
- 2026-07-13
Who should care
Users of HedgeDoc, especially those hosting it, should be aware of this vulnerability and take immediate action to update to version 1.11.0 or later. Affected operators, platforms, vulnerability-management, and security teams should review the vulnerability and implement necessary mitigations.
Technical summary
The vulnerability exists due to the use of js-yaml.load (js-yaml v3) via @hedgedoc/meta-marked, which resolves YAML anchor aliases. A compact malicious payload can expand into a huge object structure, consuming excessive CPU. This expansion occurs on every request to the publish view (/s/<shortid>) and, when placed under the opengraph key, the editor view (/<noteId>). A ten-level alias bomb can block the single Node.js event loop for roughly 235 seconds per request, causing concurrent requests to hang or drop and rendering the instance unavailable (DoS).
Defensive priority
High
Recommended defensive actions
- Update HedgeDoc to version 1.11.0 or later
- Review and monitor notes for suspicious frontmatter
- Implement additional security measures, such as rate limiting and monitoring
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-13T23:16:47.233Z and has not been modified since then. The NVD entry is currently Received. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity. The vulnerability exists in HedgeDoc, an open-source, real-time, collaborative markdown notes application, and is caused by unsafe processing of note frontmatter.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-13T23:16:47.233Z and has not been modified since then.