The vulnerability arises because the TXTRenderer component processes file contents without sanitization, and then casts the raw data directly as a ReactNode. This allows a maliciously crafted .txt file to inject and execute arbitrary JavaScript in the context of any web page that renders the file. Attackers could thereby steal user session data, perform actions on behalf of the user, or tamper with page content. The impact is a classic browser‑based remote code execution that compromises confidentiality, integrity, and availability of the client’s session and data.

Projects or applications that embed the @cyntler/react-doc-viewer JavaScript library, specifically version 1.17.1, are affected. The flaw is tied to the TXTRenderer component used to display .txt files. Any deployment that relies on that component for rendering text documents would be vulnerable.

No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, which indicates limited publicly known exploitation data. The attack vector is remote: an attacker must supply a malicious .txt file that is rendered by the vulnerable component, typically by hosting the file on a server and causing a victim's browser to load it through the application. Successful exploitation requires the victim to use a web interface that consumes .txt files via TXTRenderer. Because the flaw is client‑side, exploitation unfolds in the victim’s browser, enabling the attacker to run arbitrary script without server‑side code execution. The CVSS score of 6.1 classifies the vulnerability as medium severity, but it still allows complete compromise of the client session, so the risk remains significant until a patch or workaround is applied.