CVE-2020-7680
Description
docsify prior to 4.11.4 is susceptible to Cross-site Scripting (XSS). Docsify.js uses fragment identifiers (parameters after # sign) to load resources from server-side .md files. Due to lack of validation here, it is possible to provide external URLs after the /#/ (domain.com/#//attacker.com) and render arbitrary JavaScript/HTML inside docsify page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
docsify before 4.11.4 fails to validate fragment identifiers, allowing XSS via external URLs after /#/.
Vulnerability
Overview
CVE-2020-7680 is a cross-site scripting (XSS) vulnerability in the documentation site generator docsify, affecting all versions prior to 4.11.4. The root cause lies in how docsify.js processes fragment identifiers — the part of the URL after the # sign. The library uses this fragment to load resource files (typically .md files) from the server. However, the input is not properly validated or sanitized, making it possible to supply an external URL such as domain.com/#//attacker.com [1][2].
Exploitation
Mechanics
An attacker can craft a malicious link that, when visited by a victim, causes docsify to fetch and render content from an attacker-controlled external URL. Because the fragment identifier is used to directly load resources, and no sanitization is applied, arbitrary JavaScript or HTML from the external source is executed within the context of the docsify page [2]. The proof-of-concept provided by the researcher (Amin Sharifi) demonstrates this by loading content from asharifi.pythonanywhere.com [2].
Impact
Successful exploitation results in stored or reflected cross-site scripting (XSS), depending on how the crafted link is delivered. An attacker can execute arbitrary scripts in the victim’s browser, potentially stealing session cookies, exfiltrating sensitive data, or performing actions on behalf of the user within the docsify application [1][2].
Mitigation
Users are advised to upgrade to docsify version 4.11.4 or later. The fix was implemented in pull request #1128, which added an HTML sanitizer for remote rendering to prevent injection of malicious content [3]. The vulnerability was reported via GitHub issue #1126 and disclosed on June 22, 2020, with the fix released shortly afterward [4][2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
docsifynpm | < 4.11.4 | 4.11.4 |
Affected products
2- docsify/docsifydescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- github.com/advisories/GHSA-qpqh-46qj-vwcwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-7680ghsaADVISORY
- packetstormsecurity.com/files/158515/Docsify.js-4.11.4-Cross-Site-Scripting.htmlghsax_refsource_MISCWEB
- packetstormsecurity.com/files/161495/docsify-4.11.6-Cross-Site-Scripting.htmlghsax_refsource_MISCWEB
- seclists.org/fulldisclosure/2021/Feb/71ghsamailing-listx_refsource_FULLDISCWEB
- github.com/docsifyjs/docsify/issues/1126ghsax_refsource_MISCWEB
- github.com/docsifyjs/docsify/pull/1128ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JS-DOCSIFY-567099ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.