Filtered by vendor Getoutline
Subscriptions
Filtered by product Outline
Subscriptions
Total
21 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-43887 | 1 Getoutline | 1 Outline | 2026-05-12 | 7.3 High |
| Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.6.1, the Outline comment section permits users to mention other users; however, the backend does not validate or sanitize the href attribute associated with these mentions. As a result, potentially dangerous protocols (e.g., javascript:) are not filtered, introducing a risk of client-side code execution. This vulnerability is fixed in 1.7.0. | ||||
| CVE-2026-43886 | 1 Getoutline | 1 Outline | 2026-05-12 | 8.2 High |
| Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.6.1, a logic error in OAuthInterface.validateScope() uses Array.some() to validate requested OAuth scopes, causing the function to accept the entire scope array if any single scope is valid. An attacker can smuggle the wildcard * scope by requesting scope=read *, escalating a read-only OAuth token to full unrestricted API access including write, delete, and admin operations. This vulnerability is fixed in 1.7.0. | ||||
| CVE-2026-43890 | 1 Getoutline | 1 Outline | 2026-05-12 | 7.7 High |
| Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.7.0, the subscriptions.create API endpoint in server/routes/api/subscriptions/subscriptions.ts exhibits a broken authorization pattern. When both collectionId and documentId are supplied in the request, the route handler authorizes ONLY the collection branch (line 125 if (collectionId)), while the downstream subscriptionCreator command at server/commands/subscriptionCreator.ts writes the subscription against the documentId (which was never validated). The result is a subscription record pinning the attacker's user to a victim document the attacker has no read access to, on any team in the instance. The schema (server/routes/api/subscriptions/schema.ts) only enforces "at least one of collectionId/documentId" via .refine() — it does NOT enforce mutual exclusivity, so passing both is a valid, schema-conforming request. This vulnerability is fixed in 1.7.1. | ||||
| CVE-2026-43888 | 1 Getoutline | 1 Outline | 2026-05-12 | 8.7 High |
| Outline is a service that allows for collaborative documentation. Prior to 1.7.0, ZipHelper.extract computes the extraction path for each entry by passing a full filesystem path through trimFileAndExt, a filename helper that calls path.basename on its input when truncating. When a zip entry's nested path is long enough to push the joined filesystem path over MAX_PATH_LENGTH (4096 bytes), trimFileAndExt silently drops all directory components and returns a bare filename. fs.createWriteStream then opens the file relative to the process working directory instead of inside the extraction sandbox, and the escaped file persists after import cleanup because cleanupExtractedData only removes the temporary extraction directory. This vulnerability is fixed in 1.7.0. | ||||
| CVE-2026-43889 | 1 Getoutline | 1 Outline | 2026-05-12 | 6.5 Medium |
| Outline is a service that allows for collaborative documentation. Prior to 1.7.0, the shares.create API accepts both collectionId and documentId simultaneously and, when published=false, only verifies read access for each—skipping the "share" permission check. A subsequent shares.update authorizes publication using an OR policy (can share collection OR can share document), so an attacker who holds share permission on one unrelated collection can publish a share that exposes an arbitrary document they cannot legitimately share, making it publicly accessible to unauthenticated users. This vulnerability is fixed in 1.7.0. | ||||
| CVE-2026-44695 | 1 Getoutline | 1 Outline | 2026-05-12 | 5.8 Medium |
| Outline is a service that allows for collaborative documentation. Prior to 1.7.1, the Slack integration callback for GET /auth/slack.post accepts an unsigned, session-independent OAuth state value. A third party who can obtain a Slack OAuth code for the same Outline Slack client can make a logged-in Outline user complete the callback and link that user's Outline account to the attacker's Slack team_id and user_id. The linked Slack identity can then use the Slack /outline search command as the victim Outline user. This vulnerability is fixed in 1.7.1. | ||||
| CVE-2026-41649 | 1 Getoutline | 1 Outline | 2026-05-01 | 7.7 High |
| Outline is a service that allows for collaborative documentation. The `shares.create` API endpoint starting in version 0.86.0 and prior to version 1.7.0 has an insecure direct object reference.. When both `collectionId` and `documentId` are provided in the request, the authorization logic only checks access to the collection, completely ignoring the document. This allows an authenticated attacker to generate a valid public share link for any document on the platform, including documents belonging to other workspaces. The full document contents can then be retrieved via the `documents.info` endpoint. Version 1.7.0 contains a patch. | ||||
| CVE-2026-25062 | 1 Getoutline | 1 Outline | 2026-04-17 | 5.5 Medium |
| Outline is a service that allows for collaborative documentation. Prior to 1.4.0, during the JSON import process, the value of attachments[].key from the imported JSON is passed directly to path.join(rootPath, node.key) and then read using fs.readFile without validation. By embedding path traversal sequences such as ../ or absolute paths, an attacker can read arbitrary files on the server and import them as attachments. This vulnerability is fixed in 1.4.0. | ||||
| CVE-2020-37030 | 1 Getoutline | 1 Outline | 2026-04-15 | 7.8 High |
| Outline Service 1.3.3 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path in C:\Program Files (x86)\Outline to inject malicious code that would execute with LocalSystem permissions during service startup. | ||||
| CVE-2026-33640 | 1 Getoutline | 1 Outline | 2026-04-01 | 9.8 Critical |
| Outline is a service that allows for collaborative documentation. Outline implements an Email OTP login flow for users not associated with an Identity Provider. Starting in version 0.86.0 and prior to version 1.6.0, Outline does not invalidate OTP codes based on amount or frequency of invalid submissions, rather it relies on the rate limiter to restrict attempts. Consequently, identified bypasses in the rate limiter permit unrestricted OTP code submissions within the codes lifetime. This allows attackers to perform brute force attacks which enable account takeover. Version 1.6.0 fixes the issue. | ||||
| CVE-2026-24901 | 1 Getoutline | 1 Outline | 2026-03-24 | 8.1 High |
| Outline is a service that allows for collaborative documentation. Prior to 1.4.0, an Insecure Direct Object Reference (IDOR) vulnerability in the document restoration logic allows any team member to unauthorizedly restore, view, and seize ownership of deleted drafts belonging to other users, including administrators. By bypassing ownership validation during the restore process, an attacker can access sensitive private information and effectively lock the original owner out of their own content. Version 1.4.0 fixes the issue. | ||||
| CVE-2026-28506 | 1 Getoutline | 1 Outline | 2026-03-24 | 4.3 Medium |
| Outline is a service that allows for collaborative documentation. Prior to 1.5.0, the events.list API endpoint, used for retrieving activity logs, contains a logic flaw in its filtering mechanism. It allows any authenticated user to retrieve activity events associated with documents that have no collection (e.g., Private Drafts, Deleted Documents), regardless of the user's actual permissions on those documents. While the document content is not directly exposed, this vulnerability leaks sensitive metadata (such as Document IDs, user activity timestamps, and in some specific cases like the Document Title of Permanent Delete). Crucially, leaking valid Document IDs of deleted drafts removes the protection of UUID randomness, making High-severity IDOR attacks (such as the one identified in documents.restore) trivially exploitable by lowering the attack complexity. Version 1.5.0 fixes the issue. | ||||
| CVE-2023-54331 | 1 Getoutline | 1 Outline | 2026-03-05 | 7.8 High |
| Outline 1.6.0 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted service path in the OutlineService executable to inject malicious code that will be executed with LocalSystem permissions. | ||||
| CVE-2025-64487 | 1 Getoutline | 1 Outline | 2026-02-20 | 7.6 High |
| Outline is a service that allows for collaborative documentation. Prior to 1.1.0, a privilege escalation vulnerability exists in the Outline document management system due to inconsistent authorization checks between user and group membership management endpoints. This vulnerability is fixed in 1.1.0. | ||||
| CVE-2025-68663 | 1 Getoutline | 1 Outline | 2026-02-20 | 5.3 Medium |
| Outline is a service that allows for collaborative documentation. Prior to 1.1.0, a vulnerability was found in Outline's WebSocket authentication mechanism that allows suspended users to maintain or establish real-time WebSocket connections and continue receiving sensitive operational updates after their account has been suspended. This vulnerability is fixed in 1.1.0. | ||||
| CVE-2025-58351 | 1 Getoutline | 1 Outline | 2025-10-20 | 6.8 Medium |
| Outline is a service that allows for collaborative documentation. In versions 0.72.0 through 0.83.0, Outline introduced a feature which facilitates local file system storage capabilities as an optional file storage strategy. This feature allowed a CSP bypass as well as a ContentType bypass that might facilitate further attacks. In the case of self-hosting and using Outline FILE_STORAGE=local on the same domain as the Outline application, a malicious payload can be uploaded as a file attachment and bypass those CSP restrictions, allowing script execution within the context of another user. This is fixed in version 0.84.0. | ||||
| CVE-2024-37829 | 1 Getoutline | 1 Outline | 2025-10-10 | 8.8 High |
| An issue in Outline <= v0.76.1 allows attackers to execute a session hijacking attack via user interaction with a crafted magic sign-in link. | ||||
| CVE-2024-40626 | 1 Getoutline | 1 Outline | 2025-10-10 | 7.3 High |
| Outline is an open source, collaborative document editor. A type confusion issue was found in ProseMirror’s rendering process that leads to a Stored Cross-Site Scripting (XSS) vulnerability in Outline. An authenticated user can create a document containing a malicious JavaScript payload. When other users view this document, the malicious Javascript can execute in the origin of Outline. Outline includes CSP rules to prevent third-party code execution, however in the case of self-hosting and having your file storage on the same domain as Outline a malicious payload can be uploaded as a file attachment and bypass those CSP restrictions. This issue has been addressed in release version 0.77.3. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2024-37830 | 1 Getoutline | 1 Outline | 2024-11-21 | 4.3 Medium |
| An issue in Outline <= v0.76.1 allows attackers to redirect a victim user to a malicious site via intercepting and changing the state cookie. | ||||
| CVE-2023-3532 | 1 Getoutline | 1 Outline | 2024-11-21 | 5.4 Medium |
| Cross-site Scripting (XSS) - Stored in GitHub repository outline/outline prior to 0.70.1. | ||||