Lucene search
K

10 matches found

CVE
CVE
added 2022/02/22 8:5 p.m.164 views

CVE-2022-23654

Wiki.js (Node.js-based wiki) is affected by CVE-2022-23654 where an authenticated writer can update a page outside allowed paths by supplying a different target page ID while keeping the path, because access control checks the path against user-provided values instead of the actual path for the p...

8.1CVSS6.8AI score0.00712EPSS
CVE
CVE
added 2022/05/12 7:45 a.m.90 views

CVE-2022-1681

CVE-2022-1681 affects Wiki.js (Requarks) prior to version 2.5.281. The vulnerability is an authentication bypass via an alternate path or channel that could allow an attacker to gain root-equivalent permissions on the system. The issue arises in Wiki.js and is documented across multiple sources (...

9CVSS7.1AI score0.01889EPSS
CVE
CVE
added 2021/12/27 6:5 p.m.77 views

CVE-2021-43856

CVE-2021-43856 concerns Wiki.js (Node.js) up to version 2.5.263, vulnerable to stored cross-site scripting via non-image file uploads that can be viewed inline in the browser. By uploading a file that executes inline JS when opened directly (e.g., an XML file), an attacker could trigger a stored ...

8.2CVSS5.7AI score0.00887EPSS
CVE
CVE
added 2020/05/05 8:45 p.m.70 views

CVE-2020-11051

CVE-2020-11051 : Wiki.js before 2.3.81 has a stored XSS in the Markdown editor. An editor with write access can inject payloads into content; when another editor loads the same page in the Markdown editor, the payload can execute in the preview panel. The HTML sanitization strips the payload in r...

6.9CVSS5.1AI score0.0061EPSS
CVE
CVE
added 2020/06/16 9:55 p.m.55 views

CVE-2020-4052

Wiki.js (before 2.4.107) is affected by a stored cross-site scripting (XSS) via template injection. The root cause is an insecure validation mechanism intended to insert v-pre tags into rendered HTML elements containing curly braces, allowing a crafted wiki page to execute malicious JavaScript wh...

6.3CVSS6.1AI score0.00835EPSS
CVE
CVE
added 2021/12/27 6:5 p.m.50 views

CVE-2021-43855

Wiki.js 2.5.263 and earlier are vulnerable to a stored cross-site scripting (XSS) flaw via an SVG file upload using a forged MIME type. A crafted SVG can trigger JavaScript execution when viewed directly by other users; scripts do not run when the SVG is loaded through standard img tags. The issu...

8.2CVSS5.7AI score0.00887EPSS
CVE
CVE
added 2021/12/06 6:50 p.m.45 views

CVE-2021-43800

CVE-2021-43800 affects Wiki.js (Node.js) prior to version 2.5.254. Affected condition: on Windows, when a storage module with local asset caching (e.g., Local File System or Git) is enabled and no web application firewall strips malicious URLs. The vulnerability allows directory traversal outside...

7.5CVSS7.4AI score0.01738EPSS
CVE
CVE
added 2021/03/18 5:10 p.m.42 views

CVE-2021-21383

Wiki.js (Node.js-based wiki app) prior to version 2.5.191 is affected by a stored cross-site scripting (XSS) flaw in code blocks due to mustache expressions being parsed by Vue during content injection inside a element. The issue arises when a crafted wiki page triggers execution of malicious Ja...

7.6CVSS5.7AI score0.00876EPSS
CVE
CVE
added 2020/10/26 6:35 p.m.35 views

CVE-2020-15274

CVE-2020-15274 — Wiki.js : A stored XSS was possible via page titles in Wiki.js before v2.5.162, exploitable through search results where the title text wasn’t properly escaped. The root cause, as described, was incomplete escaping in search results content, while navigation links and the actual ...

5.8CVSS5.3AI score0.00755EPSS
CVE
CVE
added 2026/05/12 8:33 p.m.21 views

CVE-2026-44224

Wiki.js 2.x prior to 2.5.313 is affected by a privilege-escalation in the users.update GraphQL mutation: it accepts an arbitrary groups array and writes it to the database without validating group IDs or enforcing ownership checks. An attacker with manage:users can set groups:[1] on their own acc...

8.8CVSS5.9AI score0.00379EPSS