CVE-2026-46492
Awaiting Analysis Awaiting Analysis - Queue
BaseFortify

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: GitHub, Inc.

Description
md-fileserver allows for local viewing of markdown files in a browser. Prior to version 1.10.3, a cross-site scripting (XSS) vulnerability exists in the application’s Markdown rendering logic. When user-supplied Markdown content is rendered, embedded raw HTML—including <script> tags—is processed and injected into the resulting page without sanitization, allowing arbitrary JavaScript execution in the context of the affected domain. This issue has been patched in version 1.10.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-10
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-46492
EUVD
EUVD-2026-35496
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
commenthol md-fileserver to 1.10.3 (exc)
md-fileserver md-fileserver to 1.10.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-80 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
CWE-87 The product does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows arbitrary JavaScript execution in the context of the affected domain, which can lead to session hijacking, account takeover, credential theft, defacement, or exfiltration of sensitive data.

Such unauthorized access and potential data breaches could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data.

However, the provided information does not explicitly discuss compliance implications or specific regulatory impacts.

Executive Summary

CVE-2026-46492 is a cross-site scripting (XSS) vulnerability in the md-fileserver application's Markdown rendering logic.

When user-supplied Markdown content is rendered, embedded raw HTML—including <script> tags—is processed and injected into the resulting page without sanitization.

This allows arbitrary JavaScript execution in the context of the affected domain, meaning an attacker can execute malicious scripts in the victim's browser.

Impact Analysis

Successful exploitation of this vulnerability allows an attacker to execute arbitrary JavaScript in the victim's browser.

  • Session hijacking
  • Account takeover
  • Credential theft
  • Defacement of the application
  • Exfiltration of sensitive data

The vulnerability affects all users who can view Markdown content within the application, posing a significant risk due to its network-based attack vector, low complexity, and no required privileges or user interaction.

Detection Guidance

This vulnerability involves the rendering of user-supplied Markdown content that includes embedded raw HTML such as <script> tags without sanitization, leading to cross-site scripting (XSS). Detection involves identifying if your md-fileserver instance is running a vulnerable version prior to 1.10.3 and if it processes Markdown content containing unsafe HTML.

To detect the vulnerability on your system, you can check the version of md-fileserver installed. For example, if you have access to the system running md-fileserver, you can run commands like:

  • npm list md-fileserver
  • or check the version directly if md-fileserver is installed globally:
  • md-fileserver --version

If the version is older than 1.10.3, the system is vulnerable.

Additionally, you can test by attempting to render Markdown content with embedded <script> tags or event handlers in the application and observe if the script executes in the browser, indicating the vulnerability.

Mitigation Strategies

The primary mitigation step is to upgrade the md-fileserver application to version 1.10.3 or later, where this cross-site scripting vulnerability has been patched.

Until the upgrade can be applied, consider restricting access to the md-fileserver application to trusted users only, and avoid viewing or rendering untrusted Markdown content that may contain malicious embedded HTML or scripts.

Implementing additional web application firewall (WAF) rules to detect and block suspicious script injections in Markdown content may also help reduce risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46492. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart