PatchSiren

hedgedoc CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM hedgedoc CVE published 2026-07-13

CVE-2026-58489

CVE-2026-58489 is a MEDIUM severity vulnerability in HedgeDoc, an open source, real-time collaborative markdown notes application. Prior to version 1.11.0, the GitHub Gist export flow was susceptible to a callback URL forgery attack due to improper validation of the OAuth2 state value. An attacker could forge a callback URL containing their own valid GitHub OAuth code, potentially allowing them to export [truncated]

HIGH hedgedoc CVE published 2026-07-13

CVE-2026-58486

CVE-2026-58486 is a high-severity vulnerability in HedgeDoc, an open-source, real-time, collaborative markdown notes application. The issue, caused by unsafe processing of note frontmatter, allows for a YAML alias bomb attack, which can lead to a denial of service (DoS). The vulnerability exists due to the use of js-yaml.load (js-yaml v3) via @hedgedoc/meta-marked, which resolves YAML anchor aliases. A co [truncated]

MEDIUM hedgedoc CVE published 2026-07-13

CVE-2026-58488

CVE-2026-58488 is a vulnerability in HedgeDoc, an open-source, real-time, collaborative markdown notes application. The vulnerability allowed attackers to bypass rate limiting by spoofing IP addresses using the cf-connecting-ip header. This made it possible for an attacker to spam login requests or create multiple arbitrary accounts by sending another cf-connecting-ip header every few requests. The issue [truncated]

MEDIUM hedgedoc CVE published 2026-07-13

CVE-2026-58487

CVE-2026-58487 is a stored HTML injection vulnerability in HedgeDoc, a real-time, collaborative, markdown notes application. The vulnerability was caused by the unsafe handling of the local-part of registered email addresses. An attacker could register a specially crafted email address and inject arbitrary HTML into pages viewed by other users. The vulnerability has a CVSS score of 5.1 and a severity of M [truncated]