Description
md-fileserver allows for local viewing of markdown files in a browser. Prior to version 1.10.3, a cross-site scripting (XSS) vulnerability exists in the application’s Markdown rendering logic. When user-supplied Markdown content is rendered, embedded raw HTML—including <script> tags—is processed and injected into the resulting page without sanitization, allowing arbitrary JavaScript execution in the context of the affected domain. This issue has been patched in version 1.10.3.
Published: 2026-06-09
Score: 7.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from the Markdown rendering logic in md-fileserver, which accepts user‑supplied Markdown and directly injects any embedded raw HTML into the rendered page. Because no sanitization is performed, attackers can embed <script> tags or other malicious HTML, leading to arbitrary JavaScript execution in the victim’s browser context. This results in a classic stored or reflected XSS that can steal session cookies, deface pages, or perform phishing attacks.

Affected Systems

Affected production environments include installations of commenthol/md-fileserver running any version older than v1.10.3. The product is a stand‑alone server that renders Markdown files locally, without the need for external authentication. All users who can view a Markdown file are at risk until the application is upgraded.

Risk and Exploitability

The CVSS score of 7.2 indicates high severity. With no reported EPSS score and the vulnerability not listed in the CISA KEV catalog, the public awareness may be lower. The local nature of the attack vector means that any user with access to the file viewer can trigger it. Attackers can supply malicious Markdown either by uploading a file, sharing a link, or, if the application allows, embedding malicious content within an existing file. The absence of built‑in sanitization means that arbitrary JavaScript will execute with the same privileges as the served domain.

Generated by OpenCVE AI on June 9, 2026 at 18:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade md-fileserver to version 1.10.3 or later.
  • If upgrading immediately is not possible, restrict access to the Markdown viewer to trusted users only to limit the attack surface.
  • Configure the Markdown parser to strip or escape raw HTML input, or use a sanitization library if the application supports it.
  • Monitor application logs for suspicious script executions or malformed Markdown content.

Generated by OpenCVE AI on June 9, 2026 at 18:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-32q2-hhr5-6qvv md-fileserver: Stored/Reflected XSS when viewing Markdown (raw HTML allowed)
History

Tue, 09 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Commenthol
Commenthol md-fileserver
Vendors & Products Commenthol
Commenthol md-fileserver

Tue, 09 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Description md-fileserver allows for local viewing of markdown files in a browser. Prior to version 1.10.3, a cross-site scripting (XSS) vulnerability exists in the application’s Markdown rendering logic. When user-supplied Markdown content is rendered, embedded raw HTML—including <script> tags—is processed and injected into the resulting page without sanitization, allowing arbitrary JavaScript execution in the context of the affected domain. This issue has been patched in version 1.10.3.
Title md-fileserver: Stored/Reflected XSS when viewing Markdown (raw HTML allowed)
Weaknesses CWE-80
CWE-87
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Commenthol Md-fileserver
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-09T18:39:21.733Z

Reserved: 2026-05-14T18:06:06.811Z

Link: CVE-2026-46492

cve-icon Vulnrichment

Updated: 2026-06-09T18:25:23.273Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T17:17:33.730

Modified: 2026-06-09T20:16:59.300

Link: CVE-2026-46492

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T20:20:12Z

Weaknesses