MEDIUM
cryptpad
CVE published 2026-05-20
CVE-2026-26028
CVE-2026-26028 affects CryptPad versions prior to 2026.2.0. The issue is an HTML sanitizer bypass in Diffmarked.js where restricted tags such as <iframe> are not fully validated: only the src attribute is checked, while other attributes are left unchecked. According to the supplied advisory text, this allows an attacker to pair a benign blob: src with a malicious srcdoc value, defeating CryptPad’s intende [truncated]