Cross-site scripting in MDEx via unescaped highlight_lines_class code-fence attribute
Summary
| CVE | CVE-2026-53427 |
|---|---|
| State | PUBLISHED |
| Assigner | EEF |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-29 19:16:41 UTC |
| Updated | 2026-06-29 20:17:38 UTC |
| Description | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in leandrocp MDEx allows stored or reflected cross-site scripting via attacker-controlled Markdown. When syntax highlighting and full info-string forwarding (render: [full_info_string: true]) are enabled, the Lumis adapter copies the value of a code fence's highlight_lines_class info-string attribute, unescaped, into the class attribute of every rendered line. comrak_nif::lumis_adapter::LumisAdapter::parse_custom_attributes in native/comrak_nif/src/lumis_adapter.rs shlex-parses the info string and stores each key=value pair verbatim, highlight_lines_config pulls highlight_lines_class into the per-line class value, and write_highlighted interpolates that value directly into the class attribute of the per-line <div>. A single-quoted shell token preserves an inner double quote through shlex parsing, so a value such as '"><script>alert(1)</script>' terminates the class attribute early and the markup that follows is emitted as live HTML. An attacker who can submit Markdown (through comments, posts, wiki pages, documentation, or any user-generated content) can inject arbitrary HTML and JavaScript that runs in the browser of every user who views the rendered output, enabling session theft, account takeover, and other client-side attacks. No authentication or special privileges are required. The vulnerable native code originally shipped inside mdex (in native/comrak_nif/src/lumis_adapter.rs) and was later extracted into the separate mdex_native package (native/mdex_native_nif/src/lumis_adapter.rs), where it remains unpatched. This issue affects mdex from 0.11.3 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3. |
Risk And Classification
Primary CVSS: v4.0 2.3 LOW from 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS: 0.004050000 probability, percentile 0.323120000 (date 2026-06-30)
Problem Types: CWE-79 | CWE-79 CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | 6b3ad84c-e1a6-4bf7-a703-f496b71e49db | Secondary | 2.3 | LOW | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/C... |
| 4.0 | CNA | CVSS | 2.3 | LOW | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
CVSS v4.0 Breakdown
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Leandrocp | Mdex | affected 0.11.3 0.12.3 semver | Not specified |
| CNA | Leandrocp | Mdex | affected 0d7ffc84ea742e1daf666426814e5bb6d0499433 6ed94d905f97af188323f042698ae841c02293b4 git | Not specified |
| CNA | Leandrocp | Mdex Native | affected 0.1.0 0.2.3 semver | Not specified |
| CNA | Leandrocp | Mdex Native | affected 956528c5e31746253347029e810a969ab916fd27 798a363b4339f6f7162ec8437c4c9f9b5ae6fbf3 git | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| osv.dev/vulnerability/EEF-CVE-2026-53427 | 6b3ad84c-e1a6-4bf7-a703-f496b71e49db | osv.dev | |
| github.com/leandrocp/mdex_native/commit/798a363b4339f6f7162ec8437c4c9f9b... | 6b3ad84c-e1a6-4bf7-a703-f496b71e49db | github.com | |
| github.com/leandrocp/mdex_native/security/advisories/GHSA-v664-pmxr-mxxx | 6b3ad84c-e1a6-4bf7-a703-f496b71e49db | github.com | |
| cna.erlef.org/cves/CVE-2026-53427.html | 6b3ad84c-e1a6-4bf7-a703-f496b71e49db | cna.erlef.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Peter Ullrich (en)
CNA: Leandro Pereira (en)
CNA: Jonatan Männchen / EEF (en)
Additional Advisory Data
Workarounds
CNA: Do not enable full info-string forwarding (render: [full_info_string: true]) when rendering untrusted Markdown, which prevents the highlight_lines_class attribute from reaching the highlighter. Alternatively, restrict highlight_lines_class values to a safe character set (for example [A-Za-z0-9_- ]) before rendering.