CVE-2026-53427
Deferred Deferred - Pending Action

Stored XSS in mdex and mdex_native via Markdown Code Fence

Publication date: 2026-06-29

Last updated on: 2026-06-29

Assigner: EEF

Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in leandrocp MDEx allows stored or reflected cross-site scripting via attacker-controlled Markdown. When syntax highlighting and full info-string forwarding (render: [full_info_string: true]) are enabled, the Lumis adapter copies the value of a code fence's highlight_lines_class info-string attribute, unescaped, into the class attribute of every rendered line. comrak_nif::lumis_adapter::LumisAdapter::parse_custom_attributes in native/comrak_nif/src/lumis_adapter.rs shlex-parses the info string and stores each key=value pair verbatim, highlight_lines_config pulls highlight_lines_class into the per-line class value, and write_highlighted interpolates that value directly into the class attribute of the per-line <div>. A single-quoted shell token preserves an inner double quote through shlex parsing, so a value such as '"><script>alert(1)</script>' terminates the class attribute early and the markup that follows is emitted as live HTML. An attacker who can submit Markdown (through comments, posts, wiki pages, documentation, or any user-generated content) can inject arbitrary HTML and JavaScript that runs in the browser of every user who views the rendered output, enabling session theft, account takeover, and other client-side attacks. No authentication or special privileges are required. The vulnerable native code originally shipped inside mdex (in native/comrak_nif/src/lumis_adapter.rs) and was later extracted into the separate mdex_native package (native/mdex_native_nif/src/lumis_adapter.rs), where it remains unpatched. This issue affects mdex from 0.11.3 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-29
Last Modified
2026-06-29
Generated
2026-06-30
AI Q&A
2026-06-29
EPSS Evaluated
N/A
NVD
CVE-2026-53427
EUVD
EUVD-2026-40174

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
leandrocp mdex to 0.12.3 (exc)
leandrocp mdex_native to 0.2.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows attackers to inject arbitrary HTML and JavaScript into rendered Markdown content, leading to cross-site scripting (XSS) attacks. Such attacks can result in session theft, account takeover, and other client-side exploits.

From a compliance perspective, this can impact standards and regulations like GDPR and HIPAA because unauthorized access to user sessions and accounts may lead to exposure of personal or sensitive data. This exposure could violate data protection and privacy requirements mandated by these regulations.

Therefore, organizations using affected versions of mdex or mdex_native with vulnerable configurations may face increased risk of non-compliance due to potential data breaches or unauthorized data access caused by this XSS vulnerability.

Executive Summary

CVE-2026-53427 is a Cross-Site Scripting (XSS) vulnerability in the MDEx library, specifically in the mdex and mdex_native packages. It occurs when the highlight_lines_class attribute in code-fence Markdown is not properly escaped. This attribute is copied unescaped into the class attribute of every rendered line when syntax highlighting and full info-string forwarding are enabled.

An attacker can submit malicious Markdown containing a crafted highlight_lines_class value that breaks out of the class attribute and injects arbitrary HTML or JavaScript. This injected code runs in the browser of users viewing the rendered content.

No authentication or special privileges are required to exploit this vulnerability.

Impact Analysis

This vulnerability allows attackers to inject arbitrary HTML and JavaScript into web pages rendered from user-submitted Markdown. As a result, attackers can perform client-side attacks such as session theft and account takeover.

Since the malicious code runs in the context of the victim's browser, it can steal sensitive information, hijack user sessions, or perform actions on behalf of the user.

Exploitation requires no authentication or special privileges but does require that the application renders untrusted Markdown with syntax highlighting and full info-string forwarding enabled.

Detection Guidance

This vulnerability can be detected by identifying if your system uses the mdex or mdex_native packages with versions affected by CVE-2026-53427 (mdex >= 0.11.3 and < 0.12.3, mdex_native >= 0.1.0 and < 0.2.3) and if syntax highlighting with full info-string forwarding (render: [full_info_string: true]) is enabled.

Detection involves checking for usage of the vulnerable Lumis adapter that copies the highlight_lines_class attribute unescaped into HTML class attributes, which can be exploited via specially crafted Markdown input.

Suggested commands to detect the vulnerability include:

  • Check installed package versions (example for mdex_native): `mix deps | grep mdex_native` or `rebar3 deps | grep mdex_native`
  • Search your codebase or configuration for enabling full info-string forwarding: `grep -r 'full_info_string: true' ./`
  • Test rendering of Markdown code fences with a crafted highlight_lines_class attribute to see if unescaped HTML is injected, for example by submitting Markdown containing a code fence with `highlight_lines_class='"><script>alert(1)</script>'` and observing if the script executes in the rendered output.
Mitigation Strategies

Immediate mitigation steps include disabling full info-string forwarding or restricting the highlight_lines_class attribute values to a safe character set to prevent injection of arbitrary HTML or JavaScript.

Additionally, upgrading to patched versions of the affected packages is recommended: mdex to version 0.12.3 or later, and mdex_native to version 0.2.3 or later, where the vulnerability has been fixed.

If upgrading is not immediately possible, consider applying workarounds such as sanitizing user-submitted Markdown inputs or disabling syntax highlighting features that rely on the vulnerable Lumis adapter.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53427. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart