Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
7DescriptionCVE.org
@diplodoc/search-extension 1.0.0 through 3.x before 3.0.3 allows stored XSS via the title in a .md file.
AnalysisAI
Stored cross-site scripting (XSS) in @diplodoc/search-extension versions 1.0.0 through 3.0.2 allows authenticated users to inject malicious scripts via the title field in Markdown files, which are then executed in the browsers of other users viewing the affected documentation. The vulnerability requires user interaction (rendered content must be viewed) and affects the confidentiality and integrity of affected systems. Vendor-released patch: version 3.0.3.
Technical ContextAI
The @diplodoc/search-extension is a search functionality plugin for the Diplodoc documentation platform that indexes and searches Markdown-based content. The vulnerability stems from improper sanitization of user-supplied input in the title metadata field of .md files (CWE-79: Improper Neutralization of Input During Web Page Generation). When the search extension processes Markdown files, it extracts the title field and renders it without adequate HTML/JavaScript escaping, allowing attackers to embed script payloads that execute in the context of other users' browsers when search results or documentation pages containing that title are displayed. The affected CPE is cpe:2.3:a:diplodoc-platform:@diplodoc/search-extension:*:*:*:*:*:*:*:*
RemediationAI
Upgrade @diplodoc/search-extension to version 3.0.3 or later. For organizations unable to immediately patch, implement strict input validation and output encoding on the Markdown title field: ensure all user-supplied titles are HTML-escaped before rendering (convert '<' to '<', '>' to '>', '"' to '"', and '&' to '&') and enforce a Content Security Policy (CSP) with script-src directive restricted to trusted sources only to mitigate XSS impact. Monitor documentation repositories for suspicious Markdown files with script-like content in title fields. Patch details and source code fix are documented in PR#41 at https://github.com/diplodoc-platform/search-extension/pull/41.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26484