32 matches found
CVE-2026-43889
Outline is a service that allows for collaborative documentation. Prior to 1.7.0, the shares.create API accepts both collectionId and documentId simultaneously and, when published=false, only verifies read access for each—skipping the "share" permission check. A subsequent shares.update authorize...
CVE-2026-43886
Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.6.1, a logic error in OAuthInterface.validateScope uses Array.some to validate requested OAuth scopes, causing the function to accept the entire scope array if any single scope is valid. An attacker can smuggle the...
CVE-2026-43888
Outline is a service that allows for collaborative documentation. Prior to 1.7.0, ZipHelper.extract computes the extraction path for each entry by passing a full filesystem path through trimFileAndExt, a filename helper that calls path.basename on its input when truncating. When a zip entry's...
CVE-2026-43890
Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.7.0, the subscriptions.create API endpoint in server/routes/api/subscriptions/subscriptions.ts exhibits a broken authorization pattern. When both collectionId and documentId are supplied in the request, the route...
CVE-2026-44695
Outline is a service that allows for collaborative documentation. Prior to 1.7.1, the Slack integration callback for GET /auth/slack.post accepts an unsigned, session-independent OAuth state value. A third party who can obtain a Slack OAuth code for the same Outline Slack client can make a...
CVE-2026-43887
Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.6.1, the Outline comment section permits users to mention other users; however, the backend does not validate or sanitize the href attribute associated with these mentions. As a result, potentially dangerous...
CVE-2026-43889
Outline is a service that allows for collaborative documentation. Prior to 1.7.0, the shares.create API accepts both collectionId and documentId simultaneously and, when published=false, only verifies read access for each—skipping the "share" permission check. A subsequent shares.update authorize...
CVE-2026-43886
Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.6.1, a logic error in OAuthInterface.validateScope uses Array.some to validate requested OAuth scopes, causing the function to accept the entire scope array if any single scope is valid. An attacker can smuggle the...
CVE-2026-44695
Outline is a service that allows for collaborative documentation. Prior to 1.7.1, the Slack integration callback for GET /auth/slack.post accepts an unsigned, session-independent OAuth state value. A third party who can obtain a Slack OAuth code for the same Outline Slack client can make a...
CVE-2026-43888
Outline is a service that allows for collaborative documentation. Prior to 1.7.0, ZipHelper.extract computes the extraction path for each entry by passing a full filesystem path through trimFileAndExt, a filename helper that calls path.basename on its input when truncating. When a zip entry's...
CVE-2026-43886
Outline (0.84.0–1.6.1) suffers a logic error in OAuthInterface.validateScope() that uses Array.some() to validate requested scopes, causing any valid scope to validate the whole requested scope array and enable a wildcard via scope=read *. This can escalate a read‑only token to full unrestricted ...
CVE-2026-43886 Outline: OAuth Scope Validation Logic Error Allows Privilege Escalation to Wildcard API Access
Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.6.1, a logic error in OAuthInterface.validateScope uses Array.some to validate requested OAuth scopes, causing the function to accept the entire scope array if any single scope is valid. An attacker can smuggle the...
CVE-2026-43886
Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.6.1, a logic error in OAuthInterface.validateScope uses Array.some to validate requested OAuth scopes, causing the function to accept the entire scope array if any single scope is valid. An attacker can smuggle the...
CVE-2026-43887 Outline: Stored XSS via Comment Mentions
Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.6.1, the Outline comment section permits users to mention other users; however, the backend does not validate or sanitize the href attribute associated with these mentions. As a result, potentially dangerous...
PT-2026-39855
Name of the Vulnerable Software and Affected Versions Outline versions 0.84.0 through 1.6.1 Description The comment section allows users to mention other users, but the backend fails to validate or sanitize the href attribute associated with these mentions. This allows the use of dangerous...
PT-2026-39854
Name of the Vulnerable Software and Affected Versions Outline versions 0.84.0 through 1.6.1 Description A logic error exists in the validateScope function within the OAuthInterface. The function utilizes Array.some to validate requested OAuth scopes, which results in the entire scope array being...
CVE-2026-33640
Outline is a service that allows for collaborative documentation. Outline implements an Email OTP login flow for users not associated with an Identity Provider. Starting in version 0.86.0 and prior to version 1.6.0, Outline does not invalidate OTP codes based on amount or frequency of invalid...
CVE-2026-33640 Outline has a rate limit bypass that allows brute force of email login OTP
Outline is a service that allows for collaborative documentation. Outline implements an Email OTP login flow for users not associated with an Identity Provider. Starting in version 0.86.0 and prior to version 1.6.0, Outline does not invalidate OTP codes based on amount or frequency of invalid...
CVE-2026-33640 Outline has a rate limit bypass that allows brute force of email login OTP
Outline is a service that allows for collaborative documentation. Outline implements an Email OTP login flow for users not associated with an Identity Provider. Starting in version 0.86.0 and prior to version 1.6.0, Outline does not invalidate OTP codes based on amount or frequency of invalid...
CVE-2026-24901
Outline is a service that allows for collaborative documentation. Prior to 1.4.0, an Insecure Direct Object Reference IDOR vulnerability in the document restoration logic allows any team member to unauthorizedly restore, view, and seize ownership of deleted drafts belonging to other users,...