PT-2026-53680 · Leandrocp · Mdex+1
Leandro Pereira
+1
·
Published
2026-06-29
·
Updated
2026-06-29
·
CVE-2026-53427
CVSS v4.0
2.3
Low
| Vector | AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in leandrocp MDEx allows stored or reflected cross-site scripting via attacker-controlled Markdown.
When syntax highlighting and full info-string forwarding (render: [full info string: true]) are enabled, the Lumis adapter copies the value of a code fence's highlight lines class info-string attribute, unescaped, into the class attribute of every rendered line. comrak nif::lumis adapter::LumisAdapter::parse custom attributes in native/comrak nif/src/lumis adapter.rs shlex-parses the info string and stores each key=value pair verbatim, highlight lines config pulls highlight lines class into the per-line class value, and write highlighted interpolates that value directly into the class attribute of the per-line
. A single-quoted shell token preserves an inner double quote through shlex parsing, so a value such as '">' terminates the class attribute early and the markup that follows is emitted as live HTML.
An attacker who can submit Markdown (through comments, posts, wiki pages, documentation, or any user-generated content) can inject arbitrary HTML and JavaScript that runs in the browser of every user who views the rendered output, enabling session theft, account takeover, and other client-side attacks. No authentication or special privileges are required.
The vulnerable native code originally shipped inside mdex (in native/comrak nif/src/lumis adapter.rs) and was later extracted into the separate mdex native package (native/mdex native nif/src/lumis adapter.rs), where it remains unpatched.
This issue affects mdex from 0.11.3 before 0.12.3, and mdex native from 0.1.0 before 0.2.3.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mdex
Mdex Native