CVE-2026-43887— Outline: Stored XSS via Comment Mentions
Possible ATT&CK Techniques 2AI
T1059 · Command and Scripting Interpreter T1189 · Drive-by CompromiseGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-43887
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Outline: Stored XSS via Comment Mentions
Source: NVD (National Vulnerability Database)
Vulnerability Description
Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.6.1, the Outline comment section permits users to mention other users; however, the backend does not validate or sanitize the href attribute associated with these mentions. As a result, potentially dangerous protocols (e.g., javascript:) are not filtered, introducing a risk of client-side code execution. This vulnerability is fixed in 1.7.0.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Outline 跨站脚本漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Outline是Outline开源的一个知识库。 Outline 0.84.0版本至1.6.1版本存在跨站脚本漏洞,该漏洞源于评论部分允许用户提及他人,但后端未验证或清理与这些提及关联的href属性,导致潜在危险协议未被过滤,存在客户端代码执行风险。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-43887
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-43887
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-43887 (1)
Same Patch Batch · outline · 2026-05-11 · 6 CVEs total
| CVE-2026-43888 | 8.7 HIGH | Outline: Zip Extraction Path Escape via PATH_MAX Truncation in Collection Import |
| CVE-2026-43886 | 8.2 HIGH | Outline: OAuth Scope Validation Logic Error Allows Privilege Escalation to Wildcard API Ac |
| CVE-2026-43890 | 7.7 HIGH | Outline: IDOR in subscriptions.create allows cross-tenant subscription on private document |
| CVE-2026-43889 | 6.5 MEDIUM | Outline: Unauthorized Document Publication via Mixed collectionId+documentId Share |
| CVE-2026-44695 | 5.8 MEDIUM | Outline: Slack OAuth state can link a victim Outline account to an attacker Slack identity |
IV. Related Vulnerabilities
Same product: outline
- CVE-2026-44695
Outline: Slack OAuth state can link a victim Outline account - CVE-2026-43889
Outline: Unauthorized Document Publication via Mixed collect - CVE-2026-43888
Outline: Zip Extraction Path Escape via PATH_MAX Truncation - CVE-2026-43890
Outline: IDOR in subscriptions.create allows cross-tenant su - CVE-2026-43886
Outline: OAuth Scope Validation Logic Error Allows Privilege
Same vendor: outline
- CVE-2026-44695
Outline: Slack OAuth state can link a victim Outline account - CVE-2026-43889
Outline: Unauthorized Document Publication via Mixed collect - CVE-2026-43888
Outline: Zip Extraction Path Escape via PATH_MAX Truncation - CVE-2026-43890
Outline: IDOR in subscriptions.create allows cross-tenant su - CVE-2026-43886
Outline: OAuth Scope Validation Logic Error Allows Privilege
Same weakness: CWE-79
- CVE-2026-42750
WordPress WPComplete plugin <= 2.9.5.4 - Cross Site Scriptin - CVE-2026-42754
WordPress Favicon plugin <= 1.3.46 - Cross Site Scripting (X - CVE-2026-42751
WordPress Booking Manager plugin <= 2.1.18 - Cross Site Scri - CVE-2026-42759
WordPress Affiliate Super Assistent plugin <= 1.10.1 - Cross - CVE-2026-42762
WordPress VikBooking Hotel Booking Engine & PMS plugin <= 1.
V. Comments for CVE-2026-43887
No comments yet