cvedb.io
CVE-2024-45389
MEDIUM · CVSS 6.4
EPSS exploitation probability: 0%
Published 2024-09-03T20:15:08.217 · Last modified 2026-06-17T07:54:07.203

Summary

Pagefind, a fully static search library, initializes its dynamic JavaScript and WebAssembly files relative to the location of the first script the user loads. This information is gathered by looking up the value of `document.currentScript.src`. Prior to Pagefind version 1.1.1, it is possible to "clobber" this lookup with otherwise benign HTML on the page. This will cause `document.currentScript.src` to resolve as an external domain, which will then be used by Pagefind to load dependencies. This exploit would only work in the case that an attacker could inject HTML to a live, hosted, website. In these cases, this would act as a way to escalate the privilege available to an attacker. This assumes they have the ability to add some elements to the page (for example, `img` tags with a `name` at

Affected products

pagefind — pagefind

Does this affect you?

Add your gear to cvedb and we'll alert you only when pagefind ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.