CVE-2026-40201
Deferred Deferred - Pending Action
Stored XSS in @diplodoc/search-extension

Publication date: 2026-05-01

Last updated on: 2026-05-05

Assigner: MITRE

Description
@diplodoc/search-extension 1.0.0 through 3.x before 3.0.3 allows stored XSS via the title in a .md file.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-05
Generated
2026-06-16
AI Q&A
2026-05-01
EPSS Evaluated
2026-06-14
NVD
CVE-2026-40201
EUVD
EUVD-2026-26484
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
diplodoc search_extension From 1.0.0 (inc) to 3.0.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-40201 is a vulnerability in the diplodoc/search-extension versions 1.0.0 through 3.x before 3.0.3 that allows stored Cross-Site Scripting (XSS) attacks. This occurs via the title field in a .md (Markdown) file, meaning that malicious scripts can be injected and stored within the application through this vector.

Impact Analysis

This stored XSS vulnerability can allow an attacker to execute malicious scripts in the context of the affected application when users view the compromised .md file titles. The impact includes potential compromise of user data confidentiality and integrity, as indicated by the CVSS score which rates the confidentiality and integrity impact as low but with no impact on availability.

Mitigation Strategies

To mitigate the vulnerability CVE-2026-40201, you should update the diplodoc-platform/search-extension to version 3.0.3 or later, as this version includes the fix addressing the stored XSS issue.

  • Check your current version of diplodoc-platform/search-extension.
  • Upgrade to version 3.0.3 or later, preferably the latest version 3.0.5.
  • Verify the update by reviewing the release notes and ensuring the fix is applied.
Detection Guidance

This vulnerability involves stored XSS via the title in a .md file in versions 1.0.0 through 3.x before 3.0.3 of the diplodoc search-extension.

To detect this vulnerability on your system, you can check the installed version of the diplodoc search-extension to see if it is within the affected range (1.0.0 through versions before 3.0.3).

A common approach is to run commands that identify the installed package version. For example, if using npm, you can run:

  • npm list @diplodoc/search-extension

If the version is within the vulnerable range, you should consider upgrading to version 3.0.3 or later.

Additionally, to detect exploitation attempts, you can monitor for suspicious or unexpected script tags or JavaScript code embedded in the title fields of .md files processed or stored by the extension.

For network detection, inspecting HTTP traffic for payloads containing script tags in .md file titles might help, but no specific commands or signatures are provided in the available resources.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40201. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart