Tom Moor

4 exploits Active since Jul 2022
CVE-2026-41649 WRITEUP HIGH WRITEUP
Outline has IDOR in document share creation that allows unauthorized access to private documents across workspaces
Outline is a service that allows for collaborative documentation. The `shares.create` API endpoint starting in version 0.86.0 and prior to version 1.7.0 has an insecure direct object reference.. When both `collectionId` and `documentId` are provided in the request, the authorization logic only checks access to the collection, completely ignoring the document. This allows an authenticated attacker to generate a valid public share link for any document on the platform, including documents belonging to other workspaces. The full document contents can then be retrieved via the `documents.info` endpoint. Version 1.7.0 contains a patch.
CVSS 7.7
CVE-2022-2342 WRITEUP MEDIUM WRITEUP
GitHub outline/outline <0.64.4 - XSS
Cross-site Scripting (XSS) - Stored in GitHub repository outline/outline prior to v0.64.4.
CVSS 5.4
CVE-2023-3532 WRITEUP MEDIUM WRITEUP
GitHub outline/outline <0.70.1 - XSS
Cross-site Scripting (XSS) - Stored in GitHub repository outline/outline prior to 0.70.1.
CVSS 5.4
CVE-2025-58351 WRITEUP MEDIUM WRITEUP
Outline <0.83.0 - XSS
Outline is a service that allows for collaborative documentation. In versions 0.72.0 through 0.83.0, Outline introduced a feature which facilitates local file system storage capabilities as an optional file storage strategy. This feature allowed a CSP bypass as well as a ContentType bypass that might facilitate further attacks. In the case of self-hosting and using Outline FILE_STORAGE=local on the same domain as the Outline application, a malicious payload can be uploaded as a file attachment and bypass those CSP restrictions, allowing script execution within the context of another user. This is fixed in version 0.84.0.
CVSS 6.8