Skip to main content

@diplodoc/search-extension CVE-2026-40201

| EUVDEUVD-2026-26484 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-01 mitre
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

7
Patch released
May 01, 2026 - 15:37 nvd
Patch available
Patch available
May 01, 2026 - 10:01 EUVD
Source Code Evidence Fetched
May 01, 2026 - 09:30 vuln.today
Analysis Generated
May 01, 2026 - 09:30 vuln.today
EUVD ID Assigned
May 01, 2026 - 09:15 euvd
EUVD-2026-26484
Analysis Generated
May 01, 2026 - 09:15 vuln.today
CVE Published
May 01, 2026 - 08:36 nvd
MEDIUM 5.4

DescriptionCVE.org

@diplodoc/search-extension 1.0.0 through 3.x before 3.0.3 allows stored XSS via the title in a .md file.

AnalysisAI

Stored cross-site scripting (XSS) in @diplodoc/search-extension versions 1.0.0 through 3.0.2 allows authenticated users to inject malicious scripts via the title field in Markdown files, which are then executed in the browsers of other users viewing the affected documentation. The vulnerability requires user interaction (rendered content must be viewed) and affects the confidentiality and integrity of affected systems. Vendor-released patch: version 3.0.3.

Technical ContextAI

The @diplodoc/search-extension is a search functionality plugin for the Diplodoc documentation platform that indexes and searches Markdown-based content. The vulnerability stems from improper sanitization of user-supplied input in the title metadata field of .md files (CWE-79: Improper Neutralization of Input During Web Page Generation). When the search extension processes Markdown files, it extracts the title field and renders it without adequate HTML/JavaScript escaping, allowing attackers to embed script payloads that execute in the context of other users' browsers when search results or documentation pages containing that title are displayed. The affected CPE is cpe:2.3:a:diplodoc-platform:@diplodoc/search-extension:*:*:*:*:*:*:*:*

RemediationAI

Upgrade @diplodoc/search-extension to version 3.0.3 or later. For organizations unable to immediately patch, implement strict input validation and output encoding on the Markdown title field: ensure all user-supplied titles are HTML-escaped before rendering (convert '<' to '&lt;', '>' to '&gt;', '"' to '&quot;', and '&' to '&amp;') and enforce a Content Security Policy (CSP) with script-src directive restricted to trusted sources only to mitigate XSS impact. Monitor documentation repositories for suspicious Markdown files with script-like content in title fields. Patch details and source code fix are documented in PR#41 at https://github.com/diplodoc-platform/search-extension/pull/41.

Share

CVE-2026-40201 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy