Alexander-Akait

Name of the Vulnerable Software and Affected Versions: Pagefind versions prior to 1.1.1 Description: A DOM Clobbering vulnerability exists in Pagefind, allowing an attacker to inject malicious HTML and escalate privileges. This occurs when an attacker can add elements to a page, such as `img` tags with a `name` attribute, but not others, as adding a `script` would be an XSS vector. The vulnerability relies on the `document.currentScript.src` lookup being shadowed by an attacker-controlled HTML element, causing Pagefind to load dependencies from an external domain. There are no reports of this being exploited in the wild via Pagefind. Recommendations: For Pagefind versions prior to 1.1.1, update to version 1.1.1 or later to resolve the issue. As a temporary workaround, consider restricting the ability to inject HTML elements with `name` attributes on pages using Pagefind.