CVE-2026-25062

low-risk

Published 2026-02-11

Outline is a service that allows for collaborative documentation. Prior to 1.4.0, during the JSON import process, the value of attachments[].key from the imported JSON is passed directly to path.join(rootPath, node.key) and then read using fs.readFile without validation. By embedding path traversal sequences such as ../ or absolute paths, an attacker can read arbitrary files on the server and import them as attachments. This vulnerability is fixed in 1.4.0.

Do I need to act?

0.04% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.5/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Outline

Affected Vendors

Getoutline

References (2)

Release Notes https://github.com/outline/outline/releases/tag/v1.4.0

Vendor Advisory https://github.com/outline/outline/security/advisories/GHSA-7r4f-3wjv-83xf

/ 100

low-risk

Severity 21/34 · High

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal