10 matches found
CVE-2022-23654
Wiki.js (Node.js-based wiki) is affected by CVE-2022-23654 where an authenticated writer can update a page outside allowed paths by supplying a different target page ID while keeping the path, because access control checks the path against user-provided values instead of the actual path for the p...
CVE-2022-1681
CVE-2022-1681 affects Wiki.js (Requarks) prior to version 2.5.281. The vulnerability is an authentication bypass via an alternate path or channel that could allow an attacker to gain root-equivalent permissions on the system. The issue arises in Wiki.js and is documented across multiple sources (...
CVE-2021-43856
CVE-2021-43856 concerns Wiki.js (Node.js) up to version 2.5.263, vulnerable to stored cross-site scripting via non-image file uploads that can be viewed inline in the browser. By uploading a file that executes inline JS when opened directly (e.g., an XML file), an attacker could trigger a stored ...
CVE-2020-11051
CVE-2020-11051 : Wiki.js before 2.3.81 has a stored XSS in the Markdown editor. An editor with write access can inject payloads into content; when another editor loads the same page in the Markdown editor, the payload can execute in the preview panel. The HTML sanitization strips the payload in r...
CVE-2020-4052
Wiki.js (before 2.4.107) is affected by a stored cross-site scripting (XSS) via template injection. The root cause is an insecure validation mechanism intended to insert v-pre tags into rendered HTML elements containing curly braces, allowing a crafted wiki page to execute malicious JavaScript wh...
CVE-2021-43855
Wiki.js 2.5.263 and earlier are vulnerable to a stored cross-site scripting (XSS) flaw via an SVG file upload using a forged MIME type. A crafted SVG can trigger JavaScript execution when viewed directly by other users; scripts do not run when the SVG is loaded through standard img tags. The issu...
CVE-2021-43800
CVE-2021-43800 affects Wiki.js (Node.js) prior to version 2.5.254. Affected condition: on Windows, when a storage module with local asset caching (e.g., Local File System or Git) is enabled and no web application firewall strips malicious URLs. The vulnerability allows directory traversal outside...
CVE-2021-21383
Wiki.js (Node.js-based wiki app) prior to version 2.5.191 is affected by a stored cross-site scripting (XSS) flaw in code blocks due to mustache expressions being parsed by Vue during content injection inside a element. The issue arises when a crafted wiki page triggers execution of malicious Ja...
CVE-2020-15274
CVE-2020-15274 — Wiki.js : A stored XSS was possible via page titles in Wiki.js before v2.5.162, exploitable through search results where the title text wasn’t properly escaped. The root cause, as described, was incomplete escaping in search results content, while navigation links and the actual ...
CVE-2026-44224
Wiki.js 2.x prior to 2.5.313 is affected by a privilege-escalation in the users.update GraphQL mutation: it accepts an arbitrary groups array and writes it to the database without validating group IDs or enforcing ownership checks. An attacker with manage:users can set groups:[1] on their own acc...