HedgeDoc
Real-time collaborative markdown notes
Alternative to: hackmd, google docs, notion
About
Versions (41)
1.11.0
2026-06-18Security fixes
This release contains four security fixes:
- GHSA-6c2w-8w96-3pcv reports a possible HTML injection via the localpart of an email address.
- GHSA-qj78-mjch-wwrv reports a possible Denial-of-Service attack using the YAML frontmatter parsing.
- GHSA-8v9p-5j95-826j reports a possible CSRF attack vector in the GitHub Gist export.
- GHSA-2f9f-w8xq-276v reports a rate-limiting bypass by abusing the CF-Connecting-IP header.
Thanks to Chandler Johnson, taylorodell and alanturing881 for reporting!
Important notices
- When using Cloudflare in front of HedgeDoc, you should set
rateLimitUsingCloudflarein the config.json orCMD_RATE_LIMIT_USING_CLOUDFLAREas environment variable totrue.
Enhancements
- Added a warning page when clicking external links
- Improve the config.json.example file, which is used by
bin/setup - Allow configuration of login / signup rate-limits
- Allow configuration of Cloudflare usage in regards of rate-limits
- Several improvements in the documentation at https://docs.hedgedoc.org