Security

Report a vulnerability

SECURITY.md

Security Policy

Reporting a Vulnerability

Please email [email protected] to report security related issues.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in etherpad-lite
GHSA-f7h5-v9hm-548j published Jun 10, 2026 by JohnMcLear

Critical
Import/export use Math.random() for temp file paths; predictable paths on shared /tmp enable symlink-based file overwrite
GHSA-2jwf-f4xq-f24h published Jun 10, 2026 by JohnMcLear

Moderate
x-proxy-path header reflected into admin HTML/JS/CSS (cache-poisoning XSS) and concatenated into redirect (open-redirect)
GHSA-fjgc-3mj7-8rg8 published Jun 10, 2026 by JohnMcLear

Moderate
Device-to-device author-token transfer endpoint is replayable, never expires, and exposes the cleartext author token
GHSA-vqfp-p66c-xrp9 published Jun 10, 2026 by JohnMcLear

Moderate
JWT `admin` claim presence-only check lets non-admin OAuth users invoke every Etherpad HTTP API endpoint
GHSA-qfmh-fph3-mw8q published Jun 10, 2026 by JohnMcLear

Critical
Hardening: weak token RNG, login timing, plugin path handling, API request handling
GHSA-92hr-gmr6-h8cp published Jun 10, 2026 by JohnMcLear

Moderate
Stored XSS in HTML export via unescaped attribute-pool values
GHSA-2jp7-wwpg-3p9w published Jun 10, 2026 by JohnMcLear

High
Admin privilege escalation and arbitrary code execution via malicious *.etherpad imports
GHSA-w3g3-qf3g-2mqc published Dec 9, 2021 by rhansen

Critical

Learn more about advisories related to ether/etherpad in the GitHub Advisory Database