Unsanitized URL schemes in MDEx Quill Delta output allow javascript: injection (XSS)

Summary

CVECVE-2026-54889
StatePUBLISHED
AssignerEEF
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-06-29 20:17:39 UTC
Updated2026-06-30 14:14:35 UTC
DescriptionImproper Neutralization of Input During Web Page Generation (XSS) vulnerability in leandrocp mdex allows cross-site scripting via unsanitized URL schemes in Quill Delta output. 'Elixir.MDEx':to_delta/2 converts Markdown into a Quill Delta. 'Elixir.MDEx.DeltaConverter':default_convert_node/3 in lib/mdex/delta_converter.ex copies the URL of a link, wikilink, or image node directly from the parsed Markdown into the Delta "link" or "image" attribute without applying a scheme allowlist or any normalization. An attacker who controls the Markdown text can supply a javascript: URL (for example [click](javascript:alert(document.cookie))) that survives verbatim into the Delta attribute. When the Delta is rendered to HTML by a downstream renderer (such as quill-delta-to-html or the Quill client), the attribute becomes an <a href> or <img src>, and the javascript: scheme executes in the browser of anyone who views the rendered content. The link and wikilink cases are the strongest vectors because javascript: in an href executes on click; the image case is lower impact because javascript: in <img src> generally does not execute in modern browsers. This issue affects mdex: from 0.8.3 before 0.13.2.

Risk And Classification

Primary CVSS: v4.0 5.1 MEDIUM from 6b3ad84c-e1a6-4bf7-a703-f496b71e49db

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS: 0.003100000 probability, percentile 0.226340000 (date 2026-06-30)

Problem Types: CWE-79 | CWE-79 CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')


VersionSourceTypeScoreSeverityVector
4.06b3ad84c-e1a6-4bf7-a703-f496b71e49dbSecondary5.1MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/C...
4.0CNACVSS5.1MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

CVSS v4.0 Breakdown

Attack Vector
Network
Attack Complexity
Low
Attack Requirements
None
Privileges Required
None
User Interaction
Active
Confidentiality
Low
Integrity
Low
Availability
None
Sub Conf.
Low
Sub Integrity
Low
Sub Availability
None

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Leandrocp Mdex affected 0.8.3 0.13.2 semver Not specified
CNA Leandrocp Mdex affected 9852db2456fdc9d856eb636603a7f608e22e3793 2817147f5b87ce7186aa604c9ee72499485b8f2f git Not specified

References

ReferenceSourceLinkTags
cna.erlef.org/cves/CVE-2026-54889.html 6b3ad84c-e1a6-4bf7-a703-f496b71e49db cna.erlef.org
github.com/leandrocp/mdex/commit/2817147f5b87ce7186aa604c9ee72499485b8f2f 6b3ad84c-e1a6-4bf7-a703-f496b71e49db github.com
github.com/leandrocp/mdex/security/advisories/GHSA-4383-7xfp-gpph 134c704f-9b21-4f2e-91b3-4a467353bcc0 github.com
osv.dev/vulnerability/EEF-CVE-2026-54889 6b3ad84c-e1a6-4bf7-a703-f496b71e49db osv.dev
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Vendor Comments And Credit

Discovery Credit

CNA: Peter Ullrich (en)

CNA: Leandro Pereira (en)

CNA: Jonatan Männchen / EEF (en)

Additional Advisory Data

Workarounds

CNA: Sanitize the Quill Delta produced by 'Elixir.MDEx':to_delta/2 before rendering it: drop or blank any "link" or "image" value whose URL scheme is not in a safe allowlist (http, https, mailto, tel).

© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report