Home > Vulnerability Database > CVE-2026-22249

Mend.io Vulnerability Database

CVE-2026-22249

Good to know:

Date: January 15, 2026

Docmost is an open-source collaborative wiki and documentation software. From 0.21.0 to before 0.24.0, Docmost is vulnerable to Arbitrary File Write via Zip Import Feature (ZipSlip). In apps/server/src/integrations/import/utils/file.utils.ts, there are no validation on filename. This vulnerability is fixed in 0.24.0.

Severity Score

7.1

Related Resources (6)

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-22249

Url: https://github.com/docmost/docmost/security/advisories/GHSA-54pm-hqxm-54wg

Url: https://github.com/docmost/docmost/pull/1753

Url: https://github.com/docmost/docmost/commit/c3b350d943108552e20654580005cd6f6c78ab05

Url: https://github.com/docmost/docmost/releases/tag/v0.24.0

Url: https://www.mend.io/vulnerability-database/CVE-2026-22249

Severity Score

7.1

Weakness Type (CWE)

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22

Top Fix

Upgrade Version

Upgrade to version https://github.com/docmost/docmost.git - v0.24.0

Learn More

CVSS v3.1

Base Score:	7.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	LOW
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2026-22249

Good to know:

Date: January 15, 2026

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?