GHSA-G2G4-47GV-P72V
Vulnerability from github – Published: 2026-05-26 19:05 – Updated: 2026-05-26 19:05Summary
CryptPad’s HTML sanitizer in Diffmarked.js can be bypassed due to incomplete filtering of restricted tags.
Because the sanitizer only validates the src attribute of <iframe> <video>, and <audio> elements, and does not restrict other attributes, an attacker can inject arbitrary HTML through srcdoc. This completely defeats CryptPad’s intended bounce sandboxing and allows link injection or other interactive content inside user-controlled documents.
Details
The sanitizer defines forbidden and restricted tags but treats as “restricted” instead of “forbidden”:
https://github.com/cryptpad/cryptpad/blob/0dd3c1f53d56dffb06651b86ead6b9b387920173/www/common/diffMarked.js#L403-L407 The actual enforcement only checks the src attribute, nothing else:
https://github.com/cryptpad/cryptpad/blob/0dd3c1f53d56dffb06651b86ead6b9b387920173/www/common/diffMarked.js#L445-L449
Because only src is validated, adding a benign blob: src but malicious srcdoc results in unrestricted rendering.
PoC
An attacker can embed arbitrary HTML, including clickable external links, images, or interactive content, completely bypassing CryptPad’s bounce mechanism and sanitization:
<iframe src=blob: srcdoc="<a href=https://attacker.com target=_blank>CLICK ME</a>"></iframe>
Although CSP is strict, CryptPad exposes several same-origin gadgets that can execute attacker-controlled code.
For example, jscolor.js dynamically evaluates user-provided options:
https://github.com/cryptpad/cryptpad/blob/0dd3c1f53d56dffb06651b86ead6b9b387920173/www/common/jscolor.js#L65-L71
Impact
Sanitizer bypass, HTML injection and potentially XSS.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "cryptpad"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "5.9.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-26028"
],
"database_specific": {
"cwe_ids": [
"CWE-79",
"CWE-116"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-26T19:05:10Z",
"nvd_published_at": "2026-05-20T20:16:36Z",
"severity": "MODERATE"
},
"details": "### Summary\nCryptPad\u2019s HTML sanitizer in Diffmarked.js can be bypassed due to incomplete filtering of restricted tags.\nBecause the sanitizer only validates the src attribute of `\u003ciframe\u003e` `\u003cvideo\u003e`, and `\u003caudio\u003e` elements, and does not restrict other attributes, an attacker can inject arbitrary HTML through srcdoc. This completely defeats CryptPad\u2019s intended bounce sandboxing and allows link injection or other interactive content inside user-controlled documents.\n\n### Details\nThe sanitizer defines forbidden and restricted tags but treats \u003ciframe\u003e as \u201crestricted\u201d instead of \u201cforbidden\u201d:\n\nhttps://github.com/cryptpad/cryptpad/blob/0dd3c1f53d56dffb06651b86ead6b9b387920173/www/common/diffMarked.js#L403-L407\nThe actual enforcement only checks the src attribute, nothing else:\n\nhttps://github.com/cryptpad/cryptpad/blob/0dd3c1f53d56dffb06651b86ead6b9b387920173/www/common/diffMarked.js#L445-L449\n\nBecause only src is validated, adding a benign blob: src but malicious srcdoc results in unrestricted rendering.\n### PoC\n\nAn attacker can embed arbitrary HTML, including clickable external links, images, or interactive content, completely bypassing CryptPad\u2019s bounce mechanism and sanitization:\n\n```html\n\u003ciframe src=blob: srcdoc=\"\u003ca href=https://attacker.com target=_blank\u003eCLICK ME\u003c/a\u003e\"\u003e\u003c/iframe\u003e\n```\n\nAlthough CSP is strict, CryptPad exposes several same-origin gadgets that can execute attacker-controlled code.\n\nFor example, `jscolor.js` dynamically evaluates user-provided options:\nhttps://github.com/cryptpad/cryptpad/blob/0dd3c1f53d56dffb06651b86ead6b9b387920173/www/common/jscolor.js#L65-L71\n\n### Impact\nSanitizer bypass, HTML injection and potentially XSS.",
"id": "GHSA-g2g4-47gv-p72v",
"modified": "2026-05-26T19:05:10Z",
"published": "2026-05-26T19:05:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/cryptpad/cryptpad/security/advisories/GHSA-g2g4-47gv-p72v"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26028"
},
{
"type": "PACKAGE",
"url": "https://github.com/cryptpad/cryptpad"
},
{
"type": "WEB",
"url": "https://github.com/cryptpad/cryptpad/releases/tag/2026.2.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "CryptPad has a Sanitizer Bypass in Diffmarked.js that Allows Arbitrary HTML Injection and Potential XSS"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.