CVE-2026-22867 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, impacting the suitenumerique docs platform, a collaborative note-taking, wiki, and documentation tool. The vulnerability affects versions from 3.8.0 up to but not including 4.4.0. It arises from improper input neutralization in the Interlinking feature, which allows users to create links to other documents within the editor. Specifically, the URL of these links is not validated to restrict potentially dangerous schemes. An attacker with document editing privileges can exploit this by injecting a malicious javascript: URL into a document link. When other users view and click this link, the embedded JavaScript executes in their browser context, enabling arbitrary code execution. This can lead to theft of session tokens, unauthorized actions on behalf of users, or further compromise of the affected system. The vulnerability requires the attacker to have editing rights and the victim to interact by clicking the malicious link, but no additional authentication bypass is needed. The CVSS v3.1 score is 8.7 (high severity), reflecting network attack vector, low attack complexity, privileges required, user interaction, and high impact on confidentiality and integrity. No known exploits are reported in the wild yet. The issue is resolved in version 4.4.0 of suitenumerique docs, where input validation for URLs in the Interlinking feature has been properly implemented to neutralize malicious scripts.

For European organizations, this vulnerability poses significant risks to confidentiality and integrity of collaborative documentation environments. Exploitation can lead to unauthorized disclosure of sensitive information, session hijacking, and potential lateral movement within networks if attackers leverage stolen credentials or tokens. Organizations relying on suitenumerique docs for internal knowledge sharing, project management, or documentation are at risk of targeted attacks, especially if document editing privileges are widely granted. The vulnerability could be exploited to implant persistent malicious scripts, affecting multiple users over time. This is particularly concerning for sectors with stringent data protection requirements such as finance, healthcare, and government agencies in Europe. The requirement for user interaction (clicking the malicious link) somewhat limits automated exploitation but does not eliminate risk, especially in environments with high user collaboration and trust. The lack of known exploits in the wild suggests a window of opportunity for proactive mitigation before widespread abuse occurs.

European organizations should immediately upgrade suitenumerique docs to version 4.4.0 or later, where the vulnerability is fixed. Until patching is complete, restrict document editing privileges to trusted users only, minimizing the number of accounts capable of injecting malicious links. Implement user awareness training to caution users against clicking suspicious or unexpected links within documentation platforms. Employ Content Security Policy (CSP) headers to restrict execution of inline scripts and reduce the impact of XSS attacks. Monitor logs for unusual document edits or link creations that include javascript: schemes. Consider deploying web application firewalls (WAFs) with custom rules to detect and block malicious URL schemes in document content. Regularly audit and review collaborative documents for suspicious links. Finally, integrate vulnerability scanning and patch management processes to ensure timely updates of suitenumerique docs and other critical software.