CVE-2026-30691
Cross-Site Scripting in react-doc-viewer via TXTRenderer
Publication date: 2026-05-20
Last updated on: 2026-05-20
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cyntler | react-doc-viewer | 1.17.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-30691 is a Stored Cross-Site Scripting (XSS) vulnerability in the @cyntler/react-doc-viewer package version 1.17.1.
The vulnerability exists in the TXTRenderer component, which renders the content of .txt files as ReactNode without properly sanitizing the input.
This allows remote attackers to craft malicious .txt files containing JavaScript code that executes in the victim's browser when the file is viewed through the DocViewer component.
How can this vulnerability impact me? :
The vulnerability can lead to several serious impacts including session hijacking, unauthorized user actions, website defacement, and phishing attacks.
When a user opens a maliciously crafted .txt file in the vulnerable viewer, the embedded JavaScript executes in their browser, potentially compromising their session and data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying if the @cyntler/react-doc-viewer package version 1.17.1 is in use and if the TXTRenderer component is rendering .txt file content without sanitization.
One practical approach is to test the application by loading a crafted .txt file containing a simple JavaScript payload (e.g., <script>alert('XSS')</script>) into the document viewer and observing if the script executes.
There are no specific network commands provided, but detection involves checking the application version and testing file rendering behavior.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately sanitize the content of .txt files before rendering them in the TXTRenderer component.
Use a sanitization library such as DOMPurify to clean the file content and prevent execution of malicious scripts.
Alternatively, avoid casting raw strings directly as ReactNode in the rendering process.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows remote attackers to execute arbitrary JavaScript in users' browsers, which can lead to session hijacking, unauthorized actions, application defacement, and phishing attacks.
Such security issues can potentially result in unauthorized access to personal or sensitive data, which may impact compliance with standards and regulations like GDPR and HIPAA that require protection of user data and prevention of unauthorized access.
However, the provided information does not explicitly discuss the direct impact on compliance with these regulations.