Description
BentoPDF is a client-side PDF toolkit that is self hostable. Prior to version 2.8.3, a cross-site scripting vulnerability was identified in BentoPD. An attacker may be able to execute arbitrary JavaScript in certain circumstances in Markdown to PDF Tool. This issue has been patched in version 2.8.3.
Published: 2026-05-07
Score: 7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

BentoPDF’s Markdown to PDF conversion contains a stored cross‑site scripting flaw that allows arbitrary JavaScript to be injected into Markdown documents. When such a document is rendered to PDF and viewed in a browser or PDF viewer that executes embedded scripts, the attacker’s code runs in the context of the viewer, potentially reading browser data, logging activity, or transmitting sensitive information from the victim. The weakness is classified as CWE‑79. No evidence of defacement is provided in the CVE.

Affected Systems

All instances of BentoPDF released prior to version 2.8.3 are affected. The vendor product is BentoPDF, a client‑side, self‑hostable PDF toolkit. Versions 2.8.3 and later contain the fix that removes the XSS vector.

Risk and Exploitability

The CVSS score of 7 indicates a high‑moderate risk. The EPSS metric is not available, so exploitation probability cannot be quantified. The vulnerability is not listed in CISA’s KEV catalog. Exposing a malicious Markdown file to the editor allows the stored script to persist in the resulting PDF so that it can be executed whenever the PDF is opened in a browser or PDF viewer.

Generated by OpenCVE AI on May 7, 2026 at 21:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade BentoPDF to version 2.8.3 or later to apply the vendor patch.
  • If an upgrade is not immediately feasible, restrict the Markdown editor to trusted users and disable any feature that allows arbitrary HTML or JavaScript output.
  • As a temporary measure, sanitize or strip <script> tags and other executable content from Markdown before conversion to PDF to prevent stored XSS.

Generated by OpenCVE AI on May 7, 2026 at 21:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Alam00000
Alam00000 bentopdf
Vendors & Products Alam00000
Alam00000 bentopdf

Thu, 07 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 07 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description BentoPDF is a client-side PDF toolkit that is self hostable. Prior to version 2.8.3, a cross-site scripting vulnerability was identified in BentoPD. An attacker may be able to execute arbitrary JavaScript in certain circumstances in Markdown to PDF Tool. This issue has been patched in version 2.8.3.
Title BentoPDF: Stored XSS via Markdown Editor Leading to Persistent File Exfiltration
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Alam00000 Bentopdf
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-07T19:01:30.967Z

Reserved: 2026-04-21T23:58:43.802Z

Link: CVE-2026-41653

cve-icon Vulnrichment

Updated: 2026-05-07T19:01:28.393Z

cve-icon NVD

Status : Deferred

Published: 2026-05-07T19:16:00.670

Modified: 2026-05-07T19:51:36.220

Link: CVE-2026-41653

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T21:30:25Z

Weaknesses