Outline Collaboration Service Vulnerability Allows Client-Side Code Execution
A high-severity vulnerability, CVE-2026-43887, has been identified in Outline, a collaborative documentation service. According to the National Vulnerability Database, versions 0.84.0 through 1.6.1 are affected. The flaw resides in the comment section, where user mentions fail to properly validate or sanitize the href attribute. This oversight allows for the injection of dangerous protocols, such as javascript:, leading to client-side code execution.
This Cross-Site Scripting (XSS) vulnerability (CWE-79) carries a CVSS score of 7.3 (High), indicating a significant risk. An attacker could exploit this by crafting a malicious mention in a comment, which, when viewed by another user, could execute arbitrary client-side code within their browser. This could lead to session hijacking, data exfiltration, or further compromise of the user’s account within the Outline service.
The National Vulnerability Database confirms that this issue has been addressed in Outline version 1.7.0. Defenders must prioritize patching to mitigate this risk, as client-side code execution in collaborative platforms can quickly escalate into broader organizational compromise.
What This Means For You
- If your organization uses Outline for collaborative documentation, immediately verify your deployment's version. Any instance running between 0.84.0 and 1.6.1 is vulnerable. Patch to version 1.7.0 or newer without delay to prevent client-side code execution attacks via malicious comments.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-43887 - Outline Collaboration Service Client-Side Code Execution via Malicious Mention
title: CVE-2026-43887 - Outline Collaboration Service Client-Side Code Execution via Malicious Mention
id: scw-2026-05-11-ai-1
status: experimental
level: high
description: |
Detects attempts to exploit CVE-2026-43887 by submitting a comment containing a javascript: URI within the href attribute of a user mention. This targets the vulnerability in Outline versions 0.84.0 to 1.6.1 where the backend fails to sanitize href attributes in mentions, allowing for client-side code execution.
author: SCW Feed Engine (AI-generated)
date: 2026-05-11
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-43887/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/api/v2/comments'
cs-method:
- 'POST'
cs-uri-query|contains:
- 'javascript:'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-43887 | XSS | Outline versions 0.84.0 to 1.6.1 |
| CVE-2026-43887 | XSS | Outline comment section, href attribute in user mentions |
| CVE-2026-43887 | XSS | Lack of validation/sanitization for dangerous protocols (e.g., javascript:) in href attribute |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 12, 2026 at 01:22 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-8345 — D-Link DIR-816 1.10CNB05_R1B011D88210 Command Injection
CVE-2026-8345 — A security vulnerability has been detected in D-Link DIR-816 1.10CNB05_R1B011D88210. Affected by this issue is the function sub_445E7C of the file /goform/singlePortForward. Such...
Vaultwarden CVE-2026-43914: Brute-Force Bypass via 2FA Email
CVE-2026-43914 — Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.4, there is a security vulnerability in Vaultwarden that allows bypassing the login...
Vaultwarden CVE-2026-43913: Unconfirmed Owners Can Purge Vaults
CVE-2026-43913 — Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, Vaultwarden allows an unconfirmed organization owner to purge the entire organization vault....