CVE-2026-26028
CryptPad has a Sanitizer Bypass in Diffmarked.js that Allows Arbitrary HTML Injection and Potential XSS
描述
### Summary CryptPad’s HTML sanitizer in Diffmarked.js can be bypassed due to incomplete filtering of restricted tags. Because the sanitizer only validates the src attribute of `<iframe>` `<video>`, and `<audio>` elements, and does not restrict other attributes, an attacker can inject arbitrary HTML through srcdoc. This completely defeats CryptPad’s intended bounce sandboxing and allows link injection or other interactive content inside user-controlled documents. ### Details The sanitizer defines forbidden and restricted tags but treats <iframe> as “restricted” instead of “forbidden”: https://github.com/cryptpad/cryptpad/blob/0dd3c1f53d56dffb06651b86ead6b9b387920173/www/common/diffMarked.js#L403-L407 The actual enforcement only checks the src attribute, nothing else: https://github.com/cryptpad/cryptpad/blob/0dd3c1f53d56dffb06651b86ead6b9b387920173/www/common/diffMarked.js#L445-L449 Because only src is validated, adding a benign blob: src but malicious srcdoc results in unrestricted rendering. ### PoC An attacker can embed arbitrary HTML, including clickable external links, images, or interactive content, completely bypassing CryptPad’s bounce mechanism and sanitization: ```html <iframe src=blob: srcdoc="<a href=https://attacker.com target=_blank>CLICK ME</a>"></iframe> ``` Although CSP is strict, CryptPad exposes several same-origin gadgets that can execute attacker-controlled code. For example, `jscolor.js` dynamically evaluates user-provided options: https://github.com/cryptpad/cryptpad/blob/0dd3c1f53d56dffb06651b86ead6b9b387920173/www/common/jscolor.js#L65-L71 ### Impact Sanitizer bypass, HTML injection and potentially XSS.
如何修補 CVE-2026-26028
目前尚未發布修補版本。可考慮移除受影響套件,或參考下方連結中的上游建議。
- —未列出修補版本
CVE-2026-26028 正在被利用嗎?
低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- from 0, <= 5.9.0