CVE-2026-53427
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in leandrocp MDEx allows stored or reflected cross-site scripting via attacker-controlled Markdown.
When syntax highlighting and full info-string forwarding (render: [full_info_string: true]) are enabled, the Lumis adapter copies the value of a code fence's highlight_lines_class info-string attribute, unescaped, into the class attribute of every rendered line. comrak_nif::lumis_adapter::LumisAdapter::parse_custom_attributes in native/comrak_nif/src/lumis_adapter.rs shlex-parses the info string and stores each key=value pair verbatim, highlight_lines_config pulls highlight_lines_class into the per-line class value, and write_highlighted interpolates that value directly into the class attribute of the per-line <div>. A single-quoted shell token preserves an inner double quote through shlex parsing, so a value such as '"><script>alert(1)</script>' terminates the class attribute early and the markup that follows is emitted as live HTML.
An attacker who can submit Markdown (through comments, posts, wiki pages, documentation, or any user-generated content) can inject arbitrary HTML and JavaScript that runs in the browser of every user who views the rendered output, enabling session theft, account takeover, and other client-side attacks. No authentication or special privileges are required.
The vulnerable native code originally shipped inside mdex (in native/comrak_nif/src/lumis_adapter.rs) and was later extracted into the separate mdex_native package (native/mdex_native_nif/src/lumis_adapter.rs), where it remains unpatched.
This issue affects mdex from 0.11.3 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| leandrocp | mdex | 0.11.3 < 0.12.3 | affected |
| leandrocp | mdex | 0d7ffc84ea742e1daf666426814e5bb6d0499433 < 6ed94d905f97af188323f042698ae841c02293b4 | affected |
| leandrocp | mdex_native | 0.1.0 < 0.2.3 | affected |
| leandrocp | mdex_native | 956528c5e31746253347029e810a969ab916fd27 < 798a363b4339f6f7162ec8437c4c9f9b5ae6fbf3 | affected |
Weaknesses
- CWE-79: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Workarounds
Do not enable full info-string forwarding (render: [full_info_string: true]) when rendering untrusted Markdown, which prevents the highlight_lines_class attribute from reaching the highlighter. Alternatively, restrict highlight_lines_class values to a safe character set (for example [A-Za-z0-9_- ]) before rendering.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/leandrocp/mdex_native/security/advisories/GHSA-v664-pmxr-mxxx
- https://cna.erlef.org/cves/CVE-2026-53427.html
- https://osv.dev/vulnerability/EEF-CVE-2026-53427
- https://github.com/leandrocp/mdex_native/commit/798a363b4339f6f7162ec8437c4c9f9b5ae6fbf3
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.