CVE-2020-26297

Name: CVE-2020-26297
Creator: NVD / NIST
Published: 2021-01-04T19:15:15.173+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 6.1/10EPSS 1.25%

Last modified Jun 17, 2026

CVE-2020-26297 is a medium-severity vulnerability rated 6.1/10 on the CVSS scale. mdBook is a utility to create modern online books from Markdown files and is written in Rust. In mdBook before version 0.4.5, there is a vulnerability affecting the search feature of mdBook, which could allow an attacker to execute arbitrary JavaScript code on the page. EPSS estimates a 1.25% chance of exploitation in the next 30 days.

Description

mdBook is a utility to create modern online books from Markdown files and is written in Rust. In mdBook before version 0.4.5, there is a vulnerability affecting the search feature of mdBook, which could allow an attacker to execute arbitrary JavaScript code on the page. The search feature of mdBook (introduced in version 0.1.4) was affected by a cross site scripting vulnerability that allowed an attacker to execute arbitrary JavaScript code on an user's browser by tricking the user into typing a malicious search query, or tricking the user into clicking a link to the search page with the malicious search query prefilled. mdBook 0.4.5 fixes the vulnerability by properly escaping the search query. Owners of websites built with mdBook have to upgrade to mdBook 0.4.5 or greater and rebuild their website contents with it.

Metrics

CVSS 3.1

6.1/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS Probability

1.25%

65.7th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-79

Affected Software

Vendor	Product	Versions
Rust-Lang	Mdbook	>= 0.1.4, < 0.4.5

References

https://crates.io/crates/mdbookProduct, Third Party Advisory
https://github.com/rust-lang/mdBook/blob/master/CHANGELOG.md#mdbook-045Release Notes, Third Party Advisory
https://github.com/rust-lang/mdBook/commit/32abeef088e98327ca0dfccdad92e84afa9d2e9bPatch, Third Party Advisory
https://github.com/rust-lang/mdBook/security/advisories/GHSA-gx5w-rrhp-f436Mitigation, Third Party Advisory
https://groups.google.com/g/rustlang-security-announcements/c/3-sO6of29O0Mailing List, Third Party Advisory
https://crates.io/crates/mdbookProduct, Third Party Advisory
https://github.com/rust-lang/mdBook/blob/master/CHANGELOG.md#mdbook-045Release Notes, Third Party Advisory
https://github.com/rust-lang/mdBook/commit/32abeef088e98327ca0dfccdad92e84afa9d2e9bPatch, Third Party Advisory
https://github.com/rust-lang/mdBook/security/advisories/GHSA-gx5w-rrhp-f436Mitigation, Third Party Advisory
https://groups.google.com/g/rustlang-security-announcements/c/3-sO6of29O0Mailing List, Third Party Advisory

Timeline

Published: Jan 4, 2021
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2020-26297?

How severe is CVE-2020-26297?

CVE-2020-26297 has a CVSS score of 6.1/10 (MEDIUM severity). The EPSS model estimates a 1.25% probability of exploitation in the next 30 days.

How do I fix CVE-2020-26297?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2020-26297?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST