{"url":"http://public2.vulnerablecode.io/api/packages/261306?format=json","purl":"pkg:npm/docsify@1.5.1","type":"npm","namespace":"","name":"docsify","version":"1.5.1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"4.12.0","latest_non_vulnerable_version":"4.12.2","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/52818?format=json","vulnerability_id":"VCID-1jjj-34qa-skaz","summary":"docsify is susceptible to Cross-site Scripting (XSS). `Docsify.js` uses fragment identifiers (parameters after `#` sign) to load resources from server-side `.md` files. Due to lack of validation here, it is possible to provide external URLs and render arbitrary `JavaScript/HTML` inside docsify page.","references":[{"reference_url":"http://packetstormsecurity.com/files/158515/Docsify.js-4.11.4-Cross-Site-Scripting.html","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://packetstormsecurity.com/files/158515/Docsify.js-4.11.4-Cross-Site-Scripting.html"},{"reference_url":"http://packetstormsecurity.com/files/161495/docsify-4.11.6-Cross-Site-Scripting.html","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://packetstormsecurity.com/files/161495/docsify-4.11.6-Cross-Site-Scripting.html"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-7680","reference_id":"","reference_type":"","scores":[{"value":"0.03162","scoring_system":"epss","scoring_elements":"0.87182","published_at":"2026-06-05T12:55:00Z"},{"value":"0.03162","scoring_system":"epss","scoring_elements":"0.87159","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-7680"},{"reference_url":"http://seclists.org/fulldisclosure/2021/Feb/71","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://seclists.org/fulldisclosure/2021/Feb/71"},{"reference_url":"https://github.com/docsifyjs/docsify/issues/1126","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/docsifyjs/docsify/issues/1126"},{"reference_url":"https://github.com/docsifyjs/docsify/pull/1128","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/docsifyjs/docsify/pull/1128"},{"reference_url":"https://snyk.io/vuln/SNYK-JS-DOCSIFY-567099","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JS-DOCSIFY-567099"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/48681.txt","reference_id":"CVE-2020-7680","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/48681.txt"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-7680","reference_id":"CVE-2020-7680","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-7680"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/77719?format=json","purl":"pkg:npm/docsify@4.11.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-xy6c-gr7v-5ygs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/docsify@4.11.4"}],"aliases":["CVE-2020-7680","GHSA-qpqh-46qj-vwcw"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1jjj-34qa-skaz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54087?format=json","vulnerability_id":"VCID-xy6c-gr7v-5ygs","summary":"Cross-site Scripting\nIt is possible to bypass the remediation done by CVE-2020-7680 and execute malicious JavaScript through the following methods 1) When parsing HTML from remote URLs, the HTML code on the main page is sanitized, but this sanitization is not taking place in the sidebar. 2) The isURL external check can be bypassed by inserting more `////` characters","references":[{"reference_url":"http://packetstormsecurity.com/files/161495/docsify-4.11.6-Cross-Site-Scripting.html","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://packetstormsecurity.com/files/161495/docsify-4.11.6-Cross-Site-Scripting.html"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-23342","reference_id":"","reference_type":"","scores":[{"value":"0.00463","scoring_system":"epss","scoring_elements":"0.64635","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00463","scoring_system":"epss","scoring_elements":"0.64676","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-23342"},{"reference_url":"http://seclists.org/fulldisclosure/2021/Feb/71","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://seclists.org/fulldisclosure/2021/Feb/71"},{"reference_url":"https://github.com/docsifyjs/docsify/commit/ff2a66f12752471277fe81a64ad6c4b2c08111fe","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/docsifyjs/docsify/commit/ff2a66f12752471277fe81a64ad6c4b2c08111fe"},{"reference_url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1076593","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1076593"},{"reference_url":"https://snyk.io/vuln/SNYK-JS-DOCSIFY-1066017","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JS-DOCSIFY-1066017"},{"reference_url":"https://www.npmjs.com/package/docsify","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/package/docsify"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23342","reference_id":"CVE-2021-23342","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23342"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/79790?format=json","purl":"pkg:npm/docsify@4.12.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/docsify@4.12.0"}],"aliases":["CVE-2021-23342","GHSA-2mm9-c2fx-c7m4"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xy6c-gr7v-5ygs"}],"fixing_vulnerabilities":[],"risk_score":"10.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/docsify@1.5.1"}