CVE-2026-46492

Name of the Vulnerable Software and Affected Versions md-fileserver versions prior to 1.10.3

Description A cross-site scripting (XSS) issue exists in the Markdown rendering logic. When user-supplied Markdown content is rendered, embedded raw HTML, such as <script> tags or event handlers (e.g., <img onerror=...>), is processed and injected into the resulting page without sanitization. This allows arbitrary JavaScript execution in the context of the affected domain. The issue is caused by the markdownIt configuration in config.js being set to allow raw HTML, the lack of sanitization in the lib/markd.js rendering process, and the unsanitized injection of the markdown variable into the lib/pages/template.html template.

Recommendations Update to version 1.10.3.