CVE-2026-30691
Deferred Deferred - Pending Action
Cross-Site Scripting in react-doc-viewer via TXTRenderer

Publication date: 2026-05-20

Last updated on: 2026-05-20

Assigner: MITRE

Description
Cross-Site Scripting (XSS) vulnerability in @cyntler/react-doc-viewer v1.17.1 allows remote attackers to execute arbitrary JavaScript via a crafted .txt file. The TXTRenderer component fails to sanitize file content and explicitly casts raw data as a ReactNode
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-20
Last Modified
2026-05-20
Generated
2026-06-10
AI Q&A
2026-05-20
EPSS Evaluated
2026-06-08
NVD
CVE-2026-30691
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cyntler react-doc-viewer 1.17.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-30691 is a Stored Cross-Site Scripting (XSS) vulnerability in the @cyntler/react-doc-viewer package version 1.17.1.

The vulnerability exists in the TXTRenderer component, which renders the content of .txt files as ReactNode without properly sanitizing the input.

This allows remote attackers to craft malicious .txt files containing JavaScript code that executes in the victim's browser when the file is viewed through the DocViewer component.

Impact Analysis

The vulnerability can lead to several serious impacts including session hijacking, unauthorized user actions, website defacement, and phishing attacks.

When a user opens a maliciously crafted .txt file in the vulnerable viewer, the embedded JavaScript executes in their browser, potentially compromising their session and data.

Detection Guidance

This vulnerability can be detected by identifying if the @cyntler/react-doc-viewer package version 1.17.1 is in use and if the TXTRenderer component is rendering .txt file content without sanitization.

One practical approach is to test the application by loading a crafted .txt file containing a simple JavaScript payload (e.g., <script>alert('XSS')</script>) into the document viewer and observing if the script executes.

There are no specific network commands provided, but detection involves checking the application version and testing file rendering behavior.

Mitigation Strategies

To mitigate this vulnerability, immediately sanitize the content of .txt files before rendering them in the TXTRenderer component.

Use a sanitization library such as DOMPurify to clean the file content and prevent execution of malicious scripts.

Alternatively, avoid casting raw strings directly as ReactNode in the rendering process.

Compliance Impact

The vulnerability allows remote attackers to execute arbitrary JavaScript in users' browsers, which can lead to session hijacking, unauthorized actions, application defacement, and phishing attacks.

Such security issues can potentially result in unauthorized access to personal or sensitive data, which may impact compliance with standards and regulations like GDPR and HIPAA that require protection of user data and prevention of unauthorized access.

However, the provided information does not explicitly discuss the direct impact on compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30691. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart