CVE-2026-26028: CryptPad has a Sanitizer Bypass in Diffmarked.js that Allows Arbitrary HTML Injection and Potential XSS

May 26, 2026

CryptPad’s HTML sanitizer in Diffmarked.js can be bypassed due to incomplete filtering of restricted tags. Because the sanitizer only validates the src attribute of <iframe> <video>, and <audio> elements, and does not restrict other attributes, an attacker can inject arbitrary HTML through srcdoc. This completely defeats CryptPad’s intended bounce sandboxing and allows link injection or other interactive content inside user-controlled documents.

References

github.com/advisories/GHSA-g2g4-47gv-p72v
github.com/cryptpad/cryptpad/releases/tag/2026.2.0
github.com/cryptpad/cryptpad/security/advisories/GHSA-g2g4-47gv-p72v
nvd.nist.gov/vuln/detail/CVE-2026-26028

Code Behaviors & Features

Detect and mitigate CVE-2026-26028 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →