Skip to main content

Mdex

6 CVEs product

Monthly

CVE-2026-53426 HIGH PATCH This Week

Unauthenticated denial-of-service in MDEx, an Elixir/Erlang CommonMark parsing library, lets an attacker crash the entire BEAM virtual machine by feeding a crafted JSON document to MDEx.parse_document/2's {:json, ...} source. Because each unique node_type value is interned as a permanent BEAM atom that is never garbage collected, a single deeply nested document can mint hundreds of thousands of atoms and exhaust the ~1,048,576-atom table, aborting every process on the node. The flaw affects mdex 0.4.3 through 0.13.1, is fixed in 0.13.2, and has no public exploit identified at time of analysis.

Denial Of Service Mdex
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.1%
CVE-2026-54889 MEDIUM PATCH This Month

Cross-site scripting in MDEx (Elixir Markdown library by leandrocp), versions 0.8.3 through 0.13.1, allows any attacker who can supply Markdown content to inject javascript: URLs that execute in the browser of any user who views the downstream-rendered output. The MDEx to_delta/2 function copies link, wikilink, and image URLs verbatim into Quill Delta attributes without a scheme allowlist, meaning a crafted payload like [click](javascript:alert(document.cookie)) survives intact; when a downstream renderer such as quill-delta-to-html converts that Delta to HTML, the javascript: scheme becomes an executable href. No public exploit has been identified at time of analysis, though the attack requires only standard Markdown syntax, and a vendor-released patch is available in version 0.13.2.

XSS Mdex
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.3%
CVE-2026-54888 MEDIUM PATCH This Month

Stack exhaustion in the mdex and mdex_native Elixir Markdown libraries causes entire-node denial of service when processing attacker-controlled deeply nested Markdown. Two mutually recursive Rust NIF functions, ex_document_to_comrak_ast and comrak_ast_to_ex_document in document.rs, traverse the Comrak AST without enforcing a maximum nesting depth; a document with thousands of nested block quotes drives unbounded recursion that overflows the native C stack. Because the resulting SIGSEGV is raised inside a NIF, the Erlang runtime cannot catch it - the OS process hosting the BEAM terminates, killing every Elixir and Erlang process on the node. No public exploit has been identified at time of analysis, but the attack requires only crafted Markdown input with no authentication.

Denial Of Service Mdex Mdex Native
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-53429 MEDIUM PATCH This Month

Native Rust heap exhaustion in leandrocp mdex and mdex_native allows any attacker who can supply document content to MDEx.to_html/1 to crash the BEAM Erlang/Elixir node through unbounded memory accumulation. The Rust NIF permanently leaks memory by calling Box::leak on every escaped-tag literal string during document rendering, with no size cap or rate limit - leakage compounds across repeated renders proportional to literal_size multiplied by node_count, and the BEAM VM can never reclaim native allocations once surrendered this way. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; vendor-released patches are available in mdex 0.12.3 and mdex_native 0.2.3.

Denial Of Service Mdex Mdex Native
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-53428 MEDIUM PATCH This Month

Unbounded memory allocation in the MDEx Elixir Markdown rendering library allows a remote unauthenticated attacker to exhaust host memory and crash the BEAM virtual machine by submitting a single crafted fenced code block with an oversized highlight_lines range. Any application that renders user-supplied Markdown through MDEx.to_html/2 - such as a comment box, chat message, or wiki page - is exposed; a payload differing by only a few bytes can force hundreds of megabytes to gigabytes of allocation. No public exploit has been identified at time of analysis, though the attack payload is trivially constructable directly from the public advisory, and patched versions 0.12.3 (mdex) and 0.2.3 (mdex_native) are available.

Denial Of Service Mdex Mdex Native
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-53427 LOW PATCH Monitor

Stored and reflected cross-site scripting in MDEx's Lumis syntax highlighting adapter allows attackers who can submit Markdown content to inject arbitrary HTML and JavaScript into rendered output viewed by other users, enabling session theft and account takeover. The flaw exists in the native Rust code shared between the mdex (0.11.3-0.12.2) and mdex_native (0.1.0-0.2.2) packages, where the highlight_lines_class code-fence attribute is interpolated into per-line HTML div class attributes without escaping. Exploitation requires a non-default rendering configuration (full_info_string: true with syntax highlighting enabled); no public exploit identified at time of analysis, and vendor-released patches are available.

XSS Mdex Mdex Native
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.4%
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Unauthenticated denial-of-service in MDEx, an Elixir/Erlang CommonMark parsing library, lets an attacker crash the entire BEAM virtual machine by feeding a crafted JSON document to MDEx.parse_document/2's {:json, ...} source. Because each unique node_type value is interned as a permanent BEAM atom that is never garbage collected, a single deeply nested document can mint hundreds of thousands of atoms and exhaust the ~1,048,576-atom table, aborting every process on the node. The flaw affects mdex 0.4.3 through 0.13.1, is fixed in 0.13.2, and has no public exploit identified at time of analysis.

Denial Of Service Mdex
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Cross-site scripting in MDEx (Elixir Markdown library by leandrocp), versions 0.8.3 through 0.13.1, allows any attacker who can supply Markdown content to inject javascript: URLs that execute in the browser of any user who views the downstream-rendered output. The MDEx to_delta/2 function copies link, wikilink, and image URLs verbatim into Quill Delta attributes without a scheme allowlist, meaning a crafted payload like [click](javascript:alert(document.cookie)) survives intact; when a downstream renderer such as quill-delta-to-html converts that Delta to HTML, the javascript: scheme becomes an executable href. No public exploit has been identified at time of analysis, though the attack requires only standard Markdown syntax, and a vendor-released patch is available in version 0.13.2.

XSS Mdex
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Stack exhaustion in the mdex and mdex_native Elixir Markdown libraries causes entire-node denial of service when processing attacker-controlled deeply nested Markdown. Two mutually recursive Rust NIF functions, ex_document_to_comrak_ast and comrak_ast_to_ex_document in document.rs, traverse the Comrak AST without enforcing a maximum nesting depth; a document with thousands of nested block quotes drives unbounded recursion that overflows the native C stack. Because the resulting SIGSEGV is raised inside a NIF, the Erlang runtime cannot catch it - the OS process hosting the BEAM terminates, killing every Elixir and Erlang process on the node. No public exploit has been identified at time of analysis, but the attack requires only crafted Markdown input with no authentication.

Denial Of Service Mdex Mdex Native
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Native Rust heap exhaustion in leandrocp mdex and mdex_native allows any attacker who can supply document content to MDEx.to_html/1 to crash the BEAM Erlang/Elixir node through unbounded memory accumulation. The Rust NIF permanently leaks memory by calling Box::leak on every escaped-tag literal string during document rendering, with no size cap or rate limit - leakage compounds across repeated renders proportional to literal_size multiplied by node_count, and the BEAM VM can never reclaim native allocations once surrendered this way. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; vendor-released patches are available in mdex 0.12.3 and mdex_native 0.2.3.

Denial Of Service Mdex Mdex Native
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Unbounded memory allocation in the MDEx Elixir Markdown rendering library allows a remote unauthenticated attacker to exhaust host memory and crash the BEAM virtual machine by submitting a single crafted fenced code block with an oversized highlight_lines range. Any application that renders user-supplied Markdown through MDEx.to_html/2 - such as a comment box, chat message, or wiki page - is exposed; a payload differing by only a few bytes can force hundreds of megabytes to gigabytes of allocation. No public exploit has been identified at time of analysis, though the attack payload is trivially constructable directly from the public advisory, and patched versions 0.12.3 (mdex) and 0.2.3 (mdex_native) are available.

Denial Of Service Mdex Mdex Native
NVD GitHub VulDB
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Stored and reflected cross-site scripting in MDEx's Lumis syntax highlighting adapter allows attackers who can submit Markdown content to inject arbitrary HTML and JavaScript into rendered output viewed by other users, enabling session theft and account takeover. The flaw exists in the native Rust code shared between the mdex (0.11.3-0.12.2) and mdex_native (0.1.0-0.2.2) packages, where the highlight_lines_class code-fence attribute is interpolated into per-line HTML div class attributes without escaping. Exploitation requires a non-default rendering configuration (full_info_string: true with syntax highlighting enabled); no public exploit identified at time of analysis, and vendor-released patches are available.

XSS Mdex Mdex Native
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy