CVE-2026-43887

Outline · Outline

Outline is susceptible to a stored Cross-site Scripting (XSS) vulnerability, allowing authenticated users to execute malicious scripts in the context of other users' sessions.

Executive summary

A stored Cross-site Scripting (XSS) vulnerability in Outline collaborative documentation allows authenticated users to execute malicious scripts, leading to potential session hijacking and data theft.

Vulnerability

This is a Cross-site Scripting (CWE-79) vulnerability occurring due to improper neutralization of user-supplied input. An authenticated user can inject malicious scripts that execute when other users view the affected documentation, potentially compromising their sessions.

Business impact

With a CVSS score of 7.3, this vulnerability poses a substantial risk to user account integrity and data confidentiality. Successful exploitation could allow an attacker to hijack administrative or user sessions, modify documentation, or exfiltrate sensitive information, leading to unauthorized access across the organization's collaborative environment.

Remediation

Immediate Action: Upgrade Outline installations to version 1.7.0 or the latest available stable release.

Proactive Monitoring: Monitor browser-side security headers and look for anomalous script execution or unauthorized API calls originating from authenticated users.

Compensating Controls: Deploy a Web Application Firewall (WAF) with robust XSS filtering rules to intercept and block malicious script injection attempts in real-time.

Exploitation status

Public Exploit Available: Unknown — there is no confirmed public exploit or weaponized module available.

Analyst recommendation

The presence of a known proof-of-concept for this XSS vulnerability mandates an immediate update to the patched version. Security administrators should ensure that all users are aware of the risks associated with clicking suspicious links or viewing untrusted content within the platform until the update is applied.