CVE-2026-40201

Vulnerability

Overview

The @diplodoc/search-extension package, which provides offline search for the Diplodoc platform, contains a stored cross-site scripting (XSS) vulnerability. Versions 1.0.0 through 3.x before 3.0.3 do not properly sanitize the title field of Markdown (.md) files when building the search index. An attacker who can submit or modify a .md file with a crafted title can inject arbitrary JavaScript that will execute when a user searches for that content [1][2].

Exploitation

Scenario

To exploit this vulnerability, an attacker must have the ability to upload or edit a Markdown file within a project that uses the affected search-extension. No authentication beyond normal file write permissions is required; the attack vector is the file's title metadata. When the indexer processes the malicious file, it stores the unsanitized title. Subsequently, any user performing a search that returns the crafted file will trigger the stored XSS payload in their browser [1][4]. The attacker does not need network-level access—only the ability to contribute content to the indexed repository.

Impact

A successful stored XSS attack can lead to session hijacking, credential theft, or arbitrary actions performed in the context of the victim's authenticated session. Since the exploit executes in the search results page, it can also be used to deface the search interface or redirect users to malicious sites. The CVSS v3 score is 5.4 (Medium), reflecting the need for authenticated file upload but the potential for significant client-side compromise [2].

Mitigation

The vulnerability is patched in version 3.0.3, released on April 30, 2026 [3]. Users should update immediately. No workarounds are documented; removing the search extension is an alternative if upgrading is not feasible. The fix was implemented via a pull request that properly escapes or sanitizes the title field when building the search index [1].