The mkdocs-include-markdown-plugin by mondeja is a tool used to include Markdown content within Mkdocs documentation builds. Versions 7.1.7 and earlier contain a vulnerability classified as CWE-20: Improper Input Validation. Specifically, the plugin fails to properly validate input that interacts with substitution placeholders used during Markdown processing. This flaw can cause collisions or unintended substitutions, potentially allowing an attacker to manipulate the documentation build process. The vulnerability can lead to integrity issues by injecting or altering content unexpectedly, and availability issues if the build process is disrupted or crashes. The CVSS v3.1 score is 6.5 (medium severity), reflecting that the vulnerability is remotely exploitable without authentication or user interaction, with low attack complexity. The scope remains unchanged, affecting only the vulnerable plugin. No known exploits have been reported in the wild as of the publication date. The issue is resolved in version 7.1.8 by introducing proper input validation to prevent substitution collisions. Organizations using Mkdocs with this plugin should prioritize upgrading to avoid potential manipulation of their documentation outputs or build failures.

For European organizations, the vulnerability could undermine the integrity and availability of internal or public-facing documentation generated with Mkdocs using the vulnerable plugin. This may affect software development teams, technical writers, and any departments relying on automated documentation pipelines. Altered or corrupted documentation can mislead users or developers, potentially causing operational errors or security misunderstandings. Disruptions in documentation build processes could delay releases or updates. While the vulnerability does not directly expose confidential data, the integrity and availability impacts can indirectly affect business operations and trust. Organizations with extensive use of open-source tooling and continuous integration pipelines are at higher risk. The lack of known exploits reduces immediate threat but does not eliminate the risk of future attacks, especially in environments where documentation is critical for compliance or operational accuracy.

The primary mitigation is to upgrade the mkdocs-include-markdown-plugin to version 7.1.8 or later, where the input validation flaw is fixed. Organizations should audit their documentation build pipelines to identify usage of this plugin and confirm version compliance. Additionally, review and sanitize all Markdown inputs that may be processed by the plugin to avoid unsafe substitution placeholders or unexpected content injection. Implement monitoring on documentation build processes to detect anomalies or failures that could indicate exploitation attempts. Integrate plugin version checks into continuous integration workflows to prevent deployment of vulnerable versions. Educate developers and technical writers about the risks of unvalidated inputs in documentation tooling. Finally, maintain awareness of updates from the plugin vendor and the Mkdocs community for any further security advisories.