CVE-2026-40201
Stored XSS in @diplodoc/search-extension
Publication date: 2026-05-01
Last updated on: 2026-05-05
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| diplodoc | search_extension | From 1.0.0 (inc) to 3.0.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-40201 is a vulnerability in the diplodoc/search-extension versions 1.0.0 through 3.x before 3.0.3 that allows stored Cross-Site Scripting (XSS) attacks. This occurs via the title field in a .md (Markdown) file, meaning that malicious scripts can be injected and stored within the application through this vector.
How can this vulnerability impact me? :
This stored XSS vulnerability can allow an attacker to execute malicious scripts in the context of the affected application when users view the compromised .md file titles. The impact includes potential compromise of user data confidentiality and integrity, as indicated by the CVSS score which rates the confidentiality and integrity impact as low but with no impact on availability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the vulnerability CVE-2026-40201, you should update the diplodoc-platform/search-extension to version 3.0.3 or later, as this version includes the fix addressing the stored XSS issue.
- Check your current version of diplodoc-platform/search-extension.
- Upgrade to version 3.0.3 or later, preferably the latest version 3.0.5.
- Verify the update by reviewing the release notes and ensuring the fix is applied.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves stored XSS via the title in a .md file in versions 1.0.0 through 3.x before 3.0.3 of the diplodoc search-extension.
To detect this vulnerability on your system, you can check the installed version of the diplodoc search-extension to see if it is within the affected range (1.0.0 through versions before 3.0.3).
A common approach is to run commands that identify the installed package version. For example, if using npm, you can run:
- npm list @diplodoc/search-extension
If the version is within the vulnerable range, you should consider upgrading to version 3.0.3 or later.
Additionally, to detect exploitation attempts, you can monitor for suspicious or unexpected script tags or JavaScript code embedded in the title fields of .md files processed or stored by the extension.
For network detection, inspecting HTTP traffic for payloads containing script tags in .md file titles might help, but no specific commands or signatures are provided in the available resources.