CVE-2026-54889
Received Received - Intake

Stored XSS in mdex Quill Delta Output

Publication date: 2026-06-29

Last updated on: 2026-06-29

Assigner: EEF

Description
Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in leandrocp mdex allows cross-site scripting via unsanitized URL schemes in Quill Delta output. 'Elixir.MDEx':to_delta/2 converts Markdown into a Quill Delta. 'Elixir.MDEx.DeltaConverter':default_convert_node/3 in lib/mdex/delta_converter.ex copies the URL of a link, wikilink, or image node directly from the parsed Markdown into the Delta "link" or "image" attribute without applying a scheme allowlist or any normalization. An attacker who controls the Markdown text can supply a javascript: URL (for example [click](javascript:alert(document.cookie))) that survives verbatim into the Delta attribute. When the Delta is rendered to HTML by a downstream renderer (such as quill-delta-to-html or the Quill client), the attribute becomes an <a href> or <img src>, and the javascript: scheme executes in the browser of anyone who views the rendered content. The link and wikilink cases are the strongest vectors because javascript: in an href executes on click; the image case is lower impact because javascript: in <img src> generally does not execute in modern browsers. This issue affects mdex: from 0.8.3 before 0.13.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-29
Last Modified
2026-06-29
Generated
2026-06-30
AI Q&A
2026-06-29
EPSS Evaluated
N/A
NVD
CVE-2026-54889
EUVD
EUVD-2026-40178

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
leandrocp mdex From 0.8.3 (inc) to 0.13.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-54889 is a stored cross-site scripting (XSS) vulnerability in the MDEx library, which converts Markdown into Quill Delta format.

The vulnerability occurs because the MDEx.to_delta/2 function does not sanitize or validate URL schemes in links, wikilinks, or images. Attackers can inject malicious URLs using the javascript: scheme into Markdown content.

These malicious URLs are passed directly into the Quill Delta's "link" or "image" attributes without any restrictions. When the Delta is rendered to HTML by downstream tools like quill-delta-to-html or the Quill client, the javascript: URLs execute in the browser of anyone viewing the content.

This can lead to execution of arbitrary JavaScript code, such as stealing session cookies or performing other malicious actions.

Detection Guidance

This vulnerability involves unsanitized URL schemes such as javascript: in Markdown content converted to Quill Delta format. Detection involves inspecting Markdown inputs or Quill Delta outputs for unsafe URL schemes like javascript:, data:, vbscript:, or file: in link, wikilink, or image attributes.

You can detect potentially malicious URLs by searching for these schemes in your Markdown source or the generated Quill Delta JSON. For example, using command-line tools to search for 'javascript:' URLs in Markdown files or Delta JSON outputs.

  • grep -i 'javascript:' your_markdown_file.md
  • grep -i 'javascript:' your_quill_delta.json
  • jq '.ops[].attributes.link' your_quill_delta.json | grep -i 'javascript:'

These commands help identify if any unsafe URL schemes are present in your Markdown or Quill Delta data, indicating potential exploitation of this vulnerability.

Mitigation Strategies

The primary mitigation is to upgrade the MDEx library to version 0.13.2 or later, where the vulnerability is fixed by sanitizing and omitting unsafe URL schemes by default.

If upgrading is not immediately possible, sanitize the Quill Delta output before rendering by filtering out or removing unsafe URL schemes such as javascript:, data:, vbscript:, and file: from link, wikilink, and image attributes.

Additionally, configure the MDEx rendering with the default setting that omits dangerous URLs, avoiding the use of the `unsafe: true` option which preserves unsafe URLs.

These steps reduce the risk of cross-site scripting attacks by preventing execution of malicious JavaScript embedded in Markdown content.

Compliance Impact

CVE-2026-54889 is a stored cross-site scripting (XSS) vulnerability that allows attackers to inject malicious JavaScript via unsanitized URL schemes in Markdown content processed by the MDEx library. This can lead to execution of arbitrary scripts in the browsers of users viewing the rendered content.

Such XSS vulnerabilities can impact compliance with common standards and regulations like GDPR and HIPAA because they may lead to unauthorized access to sensitive user data, session hijacking, or account takeover. This compromises the confidentiality and integrity of personal or protected health information handled by affected applications.

Organizations using vulnerable versions of MDEx to process untrusted Markdown content risk violating data protection requirements that mandate safeguarding user data against unauthorized access and ensuring secure handling of input to prevent injection attacks.

Impact Analysis

This vulnerability can allow attackers to execute arbitrary JavaScript in the browsers of users who view the rendered Markdown content.

  • Session theft or hijacking by stealing cookies.
  • Account takeover or unauthorized actions performed on behalf of the user.
  • Potential spread of malware or phishing attacks through malicious links.

The attack requires no special privileges and only needs user interaction, such as clicking a malicious link.

The impact is stronger when the malicious URL is in a link's href attribute, as javascript: executes on click; the impact is lower for images because javascript: in img src generally does not execute in modern browsers.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54889. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart