What is CVE-2026-26028?

CVE-2026-26028 is a medium-severity vulnerability in Cryptpad, classified under Cross-site Scripting. CVSS score: 6.1/10. Published 2026-05-20.

How severe is CVE-2026-26028?

Medium severity. CVSS v3 base score is 6.1 out of 10.

XSS in Cryptpad

CVE-2026-26028

CryptPad is an end-to-end encrypted collaborative office suite. In versions prior to 2026.2.0, the HTML sanitizer in Diffmarked.js can be bypassed due to incomplete attribute filtering on restricted tags. The sanitizer validates only the s…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.000 (9.4th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 6.1 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N.

Affected products

Cryptpad — versions < 2026.2.0

Weakness classification (CWE)

CWE-79 — Cross-site Scripting
CWE-116 — Improper Encoding or Escaping of Output

References

security-advisories@github.com (x_refsource_CONFIRM)
security-advisories@github.com (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-26028?: CVE-2026-26028 is a medium-severity vulnerability in Cryptpad, classified under Cross-site Scripting. CVSS score: 6.1/10. Published 2026-05-20.
How severe is CVE-2026-26028?: Medium severity. CVSS v3 base score is 6.1 out of 10.