Fxha

**Name of the Vulnerable Software and Affected Versions** Mark Text version 0.16.3 **Description** A DOM-based cross-site scripting (XSS) issue allows attackers to perform remote code execution (RCE) by injecting a crafted payload into `/lib/contentState/pasteCtrl.js`. This enables attackers to execute malicious code remotely. **Recommendations** For Mark Text version 0.16.3, consider disabling the `/lib/contentState/pasteCtrl.js` module until a patch is available to prevent remote code execution. Restrict access to this module to minimize the risk of exploitation. Avoid using the affected module in the `/lib/contentState/pasteCtrl.js` file until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MarkText versions 0.16.3 and earlier **Description** The issue arises from the lack of input sanitization in mermaid blocks before rendering, potentially leading to Remote Code Execution via a .md file containing a mutation Cross-Site Scripting (XSS) payload. **Recommendations** For MarkText versions 0.16.3 and earlier, consider disabling the rendering of mermaid blocks until a patch is available to prevent potential Remote Code Execution attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.