VYPR
← All advisories
Moderate severityNVD Advisory· Published Apr 2, 2021· Updated Aug 3, 2024

CVE-2021-30074

CVE-2021-30074

Description

docsify 4.12.1 is affected by Cross Site Scripting (XSS) because the search component does not appropriately encode Code Blocks and mishandles the " character.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

docsify 4.12.1 search plugin fails to escape code blocks, allowing stored XSS via a crafted markdown file.

Vulnerability

This cross-site scripting (XSS) vulnerability exists in the search component of docsify version 4.12.1. The issue stems from improper encoding of code blocks and mishandling of the double-quote (") character during search operations. When an attacker creates a markdown file containing a crafted code block with an XSS payload (e.g., xss"><"), the search plugin fails to escape the HTML, allowing the payload to be rendered when a user searches for related text. The affected version is docsify 4.12.1, as reported in the GitHub issue [2].

Exploitation

An attacker requires the ability to create or modify markdown files within the documentation site served by docsify. The exploit involves writing a markdown file (e.g., xss.md) containing a code block with a malicious payload such as xss"><". When an authenticated user or visitor uses the search functionality and enters a query that triggers the display of this file in the search results, the payload is executed in the context of the user's browser. No additional user interaction beyond performing a search is required [2].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser within the context of the docsify application. This can lead to session hijacking, credential theft, defacement, or other malicious actions depending on the site's security posture. The attack targets the confidentiality and integrity of user sessions, though the scope is limited to the domain hosting the docsify instance. The CVSS score has not been published in the available references, but the vulnerability is clearly stored XSS [1][2].

Mitigation

The fix was implemented in pull request #1551, which adds escapeHtml for search results [3]. The commit was merged into the develop branch on April 1, 2021, and included in a subsequent release. Users should upgrade to a version of docsify that includes the fix, specifically after the 4.12.1 release. As a workaround, administrators can disable the search plugin or manually sanitize search output until an update is applied. No evidence of this CVE being listed in the KEV catalog has been found in the provided references [1][3].

References
  1. NVD - CVE-2021-30074
  2. search.js v4.12.1 Cross-Site Scripting
  3. fix: Add escapeHtml for search by sy-records · Pull Request #1551 · docsifyjs/docsify

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
docsifynpm
< 4.12.24.12.2

Affected products

2

Patches

1
c24f7f6f0b87

fix: Add escapeHtml for search (#1551)

https://github.com/docsifyjs/docsify沈唁Apr 12, 2021via ghsa
commit
1 file changed · +3 3
  • src/plugins/search/search.js+3 3 modified
    @@ -178,7 +178,7 @@ export function search(query) {
       keywords.forEach(keyword => {
         // From https://github.com/sindresorhus/escape-string-regexp
         const regEx = new RegExp(
-          ignoreDiacriticalMarks(keyword).replace(
+          escapeHtml(ignoreDiacriticalMarks(keyword)).replace(
             /[|\\{}()[\]^$+*?.]/g,
             '\\$&'
           ),
@@ -187,10 +187,10 @@ export function search(query) {
         let indexTitle = -1;
         let indexContent = -1;
         handlePostTitle = postTitle
-          ? ignoreDiacriticalMarks(postTitle)
+          ? escapeHtml(ignoreDiacriticalMarks(postTitle))
           : postTitle;
         handlePostContent = postContent
-          ? ignoreDiacriticalMarks(postContent)
+          ? escapeHtml(ignoreDiacriticalMarks(postContent))
           : postContent;
 
         indexTitle = postTitle ? handlePostTitle.search(regEx) : -1;

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.