Medium severity6.1NVD Advisory· Published Jul 20, 2020· Updated Jun 17, 2026
CVE-2020-7680
CVE-2020-7680
Description
docsify prior to 4.11.4 is susceptible to Cross-site Scripting (XSS). Docsify.js uses fragment identifiers (parameters after # sign) to load resources from server-side .md files. Due to lack of validation here, it is possible to provide external URLs after the /#/ (domain.com/#//attacker.com) and render arbitrary JavaScript/HTML inside docsify page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
docsifynpm | < 4.11.4 | 4.11.4 |
Affected products
2- docsify/docsifydescription
Patches
Vulnerability mechanics
References
8- github.com/docsifyjs/docsify/pull/1128nvdPatchThird Party AdvisoryWEB
- packetstormsecurity.com/files/158515/Docsify.js-4.11.4-Cross-Site-Scripting.htmlnvdExploitThird Party AdvisoryVDB EntryWEB
- packetstormsecurity.com/files/161495/docsify-4.11.6-Cross-Site-Scripting.htmlnvdExploitThird Party AdvisoryWEB
- seclists.org/fulldisclosure/2021/Feb/71nvdMailing ListThird Party AdvisoryWEB
- github.com/advisories/GHSA-qpqh-46qj-vwcwghsaADVISORY
- github.com/docsifyjs/docsify/issues/1126nvdThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2020-7680ghsaADVISORY
- snyk.io/vuln/SNYK-JS-DOCSIFY-567099nvdThird Party AdvisoryWEB
News mentions
0No linked articles in our index yet.