CVE Catalog

CVE-2026-54889

MediumCVSS 5.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.31%

23th percentile — higher than 23% of all known CVEs

Summary

XSS vulnerability in the mdex library for Elixir allows an attacker to inject JavaScript code via improper validation of URL schemes in Markdown to Quill Delta processing. An attacker can supply a malicious link with javascript: scheme in Markdown text, which is copied verbatim to the Delta attribute and executed in the victim's browser when rendered to HTML.

Risk Assessment

The risk involves arbitrary JavaScript execution in the user's browser, potentially leading to session theft, account takeover, or sensitive data leakage. The vulnerability affects versions from 0.8.3 to 0.13.1.

Recommendation

Immediately update the mdex library to version 0.13.2 or later, which includes a fix for URL scheme validation. If an update is not possible, apply additional URL validation on the Delta renderer side.

Original NVD description (English source)

Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in leandrocp mdex allows cross-site scripting via unsanitized URL schemes in Quill Delta output. 'Elixir.MDEx':to_delta/2 converts Markdown into a Quill Delta. 'Elixir.MDEx.DeltaConverter':default_convert_node/3 in lib/mdex/delta_converter.ex copies the URL of a link, wikilink, or image node directly from the parsed Markdown into the Delta "link" or "image" attribute without applying a scheme allowlist or any normalization. An attacker who controls the Markdown text can supply a javascript: URL (for example [click](javascript:alert(document.cookie))) that survives verbatim into the Delta attribute. When the Delta is rendered to HTML by a downstream renderer (such as quill-delta-to-html or the Quill client), the attribute becomes an <a href> or <img src>, and the javascript: scheme executes in the browser of anyone who views the rendered content. The link and wikilink cases are the strongest vectors because javascript: in an href executes on click; the image case is lower impact because javascript: in <img src> generally does not execute in modern browsers. This issue affects mdex: from 0.8.3 before 0.13.2.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS