Skip to main content

react-doc-viewer CVE-2026-30691

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-20 mitre
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
May 20, 2026 - 20:33 vuln.today
CVSS changed
May 20, 2026 - 20:22 NVD
6.1 (None) 6.1 (MEDIUM)
CVE Published
May 20, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 38 npm packages depend on @cyntler/react-doc-viewer (37 direct, 1 indirect)

Ecosystem-wide dependent count for version 1.17.1.

DescriptionCVE.org

Cross-Site Scripting (XSS) vulnerability in @cyntler/react-doc-viewer v1.17.1 allows remote attackers to execute arbitrary JavaScript via a crafted .txt file. The TXTRenderer component fails to sanitize file content and explicitly casts raw data as a ReactNode

AnalysisAI

Stored/reflected Cross-Site Scripting in @cyntler/react-doc-viewer v1.17.1 allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by supplying a crafted .txt file for rendering. The TXTRenderer component unsafely casts raw file content directly as a ReactNode without sanitization, bypassing React's default escaping and enabling HTML/script injection. A publicly available proof-of-concept exists; no confirmed active exploitation in CISA KEV at time of analysis.

Technical ContextAI

The affected library, @cyntler/react-doc-viewer v1.17.1 (an npm React component for in-browser document preview), includes a TXTRenderer sub-component responsible for rendering plain-text files. React normally escapes string content rendered to the DOM, but the TXTRenderer explicitly casts raw file buffer data as a ReactNode - a React type that accepts JSX elements and raw HTML structures - circumventing React's built-in XSS protections. This is a CWE-79 (Improper Neutralization of Input During Web Page Generation) flaw rooted in unsafe type coercion rather than a missing sanitization call. The scope is changed (S:C in the CVSS vector) because script execution escapes the document viewer component and can access the full browser origin context of the hosting application. CPE data provided is generic (n/a:n/a), so affected version scope is limited to what the description and GitHub issue confirm: v1.17.1.

RemediationAI

No vendor-released patched version is identified in the available intelligence data; absence of a confirmed fix version should not be interpreted as confirmation that no patch exists - check the upstream repository at https://github.com/cyntler/react-doc-viewer/issues/317 for a released fix before taking compensating action. Until a patched version is confirmed, the most effective compensating control is to disable or remove the TXTRenderer component from the viewer configuration, preventing .txt files from being rendered via the vulnerable code path (trade-off: loss of plain-text document preview capability). If TXTRenderer cannot be disabled, restrict the document viewer to only accept files from trusted, server-validated sources rather than allowing arbitrary user-supplied uploads. Additionally, deploying a Content Security Policy (CSP) header with a restrictive script-src directive on the hosting page can limit the impact of any injected script by preventing execution of inline scripts or restricting allowed script origins (trade-off: may break legitimate functionality if the application relies on inline scripts). Monitor the upstream GitHub repository and the POC repository at https://github.com/walidriouah/CVE-2026-30691 for patch releases.

Share

CVE-2026-30691 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy