Description
@diplodoc/search-extension 1.0.0 through 3.x before 3.0.3 allows stored XSS via the title in a .md file.
Published: 2026-05-01
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Diplodoc Search Extension versions 1.0.0 through 3.x before 3.0.3 can store malicious scripts in the title field of markdown (.md) files. When the extension renders these files, the injected script is executed in the browser, allowing an attacker to execute arbitrary client‑side code in the context of legitimate users who view the file. This flaw falls under CWE‑79 and can lead to credential theft, session hijacking, and phishing attacks.

Affected Systems

The vulnerability affects the diplodoc-platform Search Extension. All installations using any release from 1.0.0 up to, but not including, 3.0.3 are potentially exploitable. A release starting with v3.0.3 contains the fix.

Risk and Exploitability

The CVSS score of 5.4 indicates a medium severity. While no EPSS value is available and the flaw is not listed in KEV, the stored XSS nature means successful exploitation requires a user to load a malicious markdown file that the extension processes. The likely attack path involves an attacker adding or modifying a .md file with a crafted title containing JavaScript that is later rendered by the extension.

Generated by OpenCVE AI on May 1, 2026 at 23:52 UTC.

Remediation

Vendor Solution

Use the function escapeHtml within highlighte.

OpenCVE Recommended Actions

  • Upgrade the Diplodoc Search Extension to v3.0.3 or later
  • Apply the escapeHtml function from the highlighte component when rendering title fields
  • If an upgrade cannot be performed immediately, sanitize or delete any markdown files with suspicious titles to prevent script injection

Generated by OpenCVE AI on May 1, 2026 at 23:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 00:00:00 +0000

Type Values Removed Values Added
Title Stored XSS via Markdown Title in Diplodoc Search Extension

Fri, 01 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 01 May 2026 09:15:00 +0000

Type Values Removed Values Added
Description @diplodoc/search-extension 1.0.0 through 3.x before 3.0.3 allows stored XSS via the title in a .md file.
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-01T13:26:04.503Z

Reserved: 2026-04-10T06:45:33.622Z

Link: CVE-2026-40201

cve-icon Vulnrichment

Updated: 2026-05-01T13:26:00.591Z

cve-icon NVD

Status : Deferred

Published: 2026-05-01T09:16:16.810

Modified: 2026-05-01T15:37:07.253

Link: CVE-2026-40201

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T00:00:14Z

Weaknesses