Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3Blast Radius
ecosystem impact- 38 npm packages depend on @cyntler/react-doc-viewer (37 direct, 1 indirect)
Ecosystem-wide dependent count for version 1.17.1.
DescriptionCVE.org
Cross-Site Scripting (XSS) vulnerability in @cyntler/react-doc-viewer v1.17.1 allows remote attackers to execute arbitrary JavaScript via a crafted .txt file. The TXTRenderer component fails to sanitize file content and explicitly casts raw data as a ReactNode
AnalysisAI
Stored/reflected Cross-Site Scripting in @cyntler/react-doc-viewer v1.17.1 allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by supplying a crafted .txt file for rendering. The TXTRenderer component unsafely casts raw file content directly as a ReactNode without sanitization, bypassing React's default escaping and enabling HTML/script injection. A publicly available proof-of-concept exists; no confirmed active exploitation in CISA KEV at time of analysis.
Technical ContextAI
The affected library, @cyntler/react-doc-viewer v1.17.1 (an npm React component for in-browser document preview), includes a TXTRenderer sub-component responsible for rendering plain-text files. React normally escapes string content rendered to the DOM, but the TXTRenderer explicitly casts raw file buffer data as a ReactNode - a React type that accepts JSX elements and raw HTML structures - circumventing React's built-in XSS protections. This is a CWE-79 (Improper Neutralization of Input During Web Page Generation) flaw rooted in unsafe type coercion rather than a missing sanitization call. The scope is changed (S:C in the CVSS vector) because script execution escapes the document viewer component and can access the full browser origin context of the hosting application. CPE data provided is generic (n/a:n/a), so affected version scope is limited to what the description and GitHub issue confirm: v1.17.1.
RemediationAI
No vendor-released patched version is identified in the available intelligence data; absence of a confirmed fix version should not be interpreted as confirmation that no patch exists - check the upstream repository at https://github.com/cyntler/react-doc-viewer/issues/317 for a released fix before taking compensating action. Until a patched version is confirmed, the most effective compensating control is to disable or remove the TXTRenderer component from the viewer configuration, preventing .txt files from being rendered via the vulnerable code path (trade-off: loss of plain-text document preview capability). If TXTRenderer cannot be disabled, restrict the document viewer to only accept files from trusted, server-validated sources rather than allowing arbitrary user-supplied uploads. Additionally, deploying a Content Security Policy (CSP) header with a restrictive script-src directive on the hosting page can limit the impact of any injected script by preventing execution of inline scripts or restricting allowed script origins (trade-off: may break legitimate functionality if the application relies on inline scripts). Monitor the upstream GitHub repository and the POC repository at https://github.com/walidriouah/CVE-2026-30691 for patch releases.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today