Aggregates CVE and security vulnerability intelligence across all getoutline-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk path handling, vendor risk csrf, and vendor risk open redirect and related problems; some flaws may lead to vendor impact session compromise and vendor impact file overwrite.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-44695 | Outline is a service that allows for collaborative documentation. Prior to 1.7.1, the Slack integration callback for GET /auth/slack.post accepts an unsigned, session-independent OAuth state value. A third party who can obtain a Slack OAuth code for the same Outline Slack client can make a logged-in Outline user complete the callback and link that user's Outline account to the attacker's Slack team_id and user_id. The linked Slack identity can then use the Slack /outline search command as the vi | [email protected] | 5.8 | 0.01% | 2026-05-11 | 2026-05-15 |
| CVE-2026-41649 | Outline is a service that allows for collaborative documentation. The `shares.create` API endpoint starting in version 0.86.0 and prior to version 1.7.0 has an insecure direct object reference.. When both `collectionId` and `documentId` are provided in the request, the authorization logic only checks access to the collection, completely ignoring the document. This allows an authenticated attacker to generate a valid public share link for any document on the platform, including documents belongin | [email protected] | 7.7 | 0.03% | 2026-04-28 | 2026-05-01 |
| CVE-2026-33640 | Outline is a service that allows for collaborative documentation. Outline implements an Email OTP login flow for users not associated with an Identity Provider. Starting in version 0.86.0 and prior to version 1.6.0, Outline does not invalidate OTP codes based on amount or frequency of invalid submissions, rather it relies on the rate limiter to restrict attempts. Consequently, identified bypasses in the rate limiter permit unrestricted OTP code submissions within the codes lifetime. This allows | [email protected] | 9.1 | 0.02% | 2026-03-26 | 2026-03-31 |
| CVE-2026-28506 | Outline is a service that allows for collaborative documentation. Prior to 1.5.0, the events.list API endpoint, used for retrieving activity logs, contains a logic flaw in its filtering mechanism. It allows any authenticated user to retrieve activity events associated with documents that have no collection (e.g., Private Drafts, Deleted Documents), regardless of the user's actual permissions on those documents. While the document content is not directly exposed, this vulnerability leaks sensitiv | [email protected] | 4.3 | 0.02% | 2026-03-17 | 2026-03-19 |
| CVE-2026-24901 | Outline is a service that allows for collaborative documentation. Prior to 1.4.0, an Insecure Direct Object Reference (IDOR) vulnerability in the document restoration logic allows any team member to unauthorizedly restore, view, and seize ownership of deleted drafts belonging to other users, including administrators. By bypassing ownership validation during the restore process, an attacker can access sensitive private information and effectively lock the original owner out of their own content. | [email protected] | 8.1 | 0.03% | 2026-03-17 | 2026-03-19 |
| CVE-2026-25062 | Outline is a service that allows for collaborative documentation. Prior to 1.4.0, during the JSON import process, the value of attachments[].key from the imported JSON is passed directly to path.join(rootPath, node.key) and then read using fs.readFile without validation. By embedding path traversal sequences such as ../ or absolute paths, an attacker can read arbitrary files on the server and import them as attachments. This vulnerability is fixed in 1.4.0. | [email protected] | 5.5 | 0.02% | 2026-02-11 | 2026-02-20 |
| CVE-2025-68663 | Outline is a service that allows for collaborative documentation. Prior to 1.1.0, a vulnerability was found in Outline's WebSocket authentication mechanism that allows suspended users to maintain or establish real-time WebSocket connections and continue receiving sensitive operational updates after their account has been suspended. This vulnerability is fixed in 1.1.0. | [email protected] | 6.9 | 0.06% | 2026-02-11 | 2026-02-20 |
| CVE-2025-64487 | Outline is a service that allows for collaborative documentation. Prior to 1.1.0, a privilege escalation vulnerability exists in the Outline document management system due to inconsistent authorization checks between user and group membership management endpoints. This vulnerability is fixed in 1.1.0. | [email protected] | 7.6 | 0.01% | 2026-02-11 | 2026-02-20 |
| CVE-2023-54331 | Outline 1.6.0 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted service path in the OutlineService executable to inject malicious code that will be executed with LocalSystem permissions. | [email protected] | 8.5 | 0.01% | 2026-01-13 | 2026-02-02 |
| CVE-2025-58351 | Outline is a service that allows for collaborative documentation. In versions 0.72.0 through 0.83.0, Outline introduced a feature which facilitates local file system storage capabilities as an optional file storage strategy. This feature allowed a CSP bypass as well as a ContentType bypass that might facilitate further attacks. In the case of self-hosting and using Outline FILE_STORAGE=local on the same domain as the Outline application, a malicious payload can be uploaded as a file attachment a | [email protected] | 6.8 | 0.07% | 2025-09-03 | 2025-10-20 |
| CVE-2024-40626 | Outline is an open source, collaborative document editor. A type confusion issue was found in ProseMirror’s rendering process that leads to a Stored Cross-Site Scripting (XSS) vulnerability in Outline. An authenticated user can create a document containing a malicious JavaScript payload. When other users view this document, the malicious Javascript can execute in the origin of Outline. Outline includes CSP rules to prevent third-party code execution, however in the case of self-hosting and havin | [email protected] | 7.3 | 0.17% | 2024-07-16 | 2025-10-10 |
| CVE-2024-37829 | An issue in Outline <= v0.76.1 allows attackers to execute a session hijacking attack via user interaction with a crafted magic sign-in link. | [email protected] | 8.8 | 0.27% | 2024-07-09 | 2025-10-10 |
| CVE-2024-37830 | An issue in Outline <= v0.76.1 allows attackers to redirect a victim user to a malicious site via intercepting and changing the state cookie. | [email protected] | 6.1 | 0.22% | 2024-07-09 | 2024-11-21 |
| CVE-2023-3532 | Cross-site Scripting (XSS) - Stored in GitHub repository outline/outline prior to 0.70.1. | [email protected] | 5.4 | 0.08% | 2023-07-07 | 2024-11-21 |
| CVE-2022-2342 | Cross-site Scripting (XSS) - Stored in GitHub repository outline/outline prior to v0.64.4. | [email protected] | 5.4 | 0.31% | 2022-07-07 | 2024-11-21 |