@diplodoc/search-extension versions 1.0.0 through 3.x before 3.0.3 contain a stored cross-site scripting vulnerability (CWE-79) due to improper neutralization of input during web page generation. Specifically, the title field in markdown (.md) files is not properly sanitized, allowing an attacker to inject malicious scripts that are stored and executed in users' browsers when the content is rendered. This vulnerability has a CVSS 3.1 base score of 5.4, reflecting network attack vector, low attack complexity, requiring privileges and user interaction, and partial confidentiality and integrity impact with no availability impact. No vendor advisory or patch links are provided, and the remediation level is unknown.

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary scripts in the context of the affected application, potentially leading to partial disclosure of information and modification of data within the user's session. There is no impact on system availability. The attack requires some level of privilege and user interaction, limiting the ease of exploitation. No known active exploits have been reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should exercise caution when processing or rendering untrusted markdown files with titles, and consider implementing additional input sanitization or filtering at the application level to mitigate stored XSS risks.