Stored XSS in Search Extension Product by Diplodoc
CVE-2026-40201

5.4MEDIUM

Key Information:

Vendor

Diplodoc-platform

Status
@diplodoc/search-extension
Vendor
CVE Published:
1 May 2026

What is CVE-2026-40201?

The Diplodoc Search Extension, versions 1.0.0 through 3.x (prior to 3.0.3), is vulnerable to stored Cross-Site Scripting (XSS) attacks. This vulnerability allows attackers to inject malicious scripts via the title field in .md files. When these files are processed and displayed, the injected scripts can be executed in the user's browser context, potentially compromising user data and session security. Users are advised to upgrade to version 3.0.3 or later to mitigate this risk.

Affected Version(s)

@diplodoc/search-extension Windows 1.0.0 < 3.0.3

References

https://github.com/diplodoc-platform/search-extension/rel...
product
https://github.com/diplodoc-platform/search-extension/pul...
https://github.com/diplodoc-platform/search-extension/rel...

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.