{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-53427", "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "state": "PUBLISHED", "assignerShortName": "EEF", "dateReserved": "2026-06-09T11:01:47.529Z", "datePublished": "2026-06-29T18:50:17.185Z", "dateUpdated": "2026-06-29T19:19:28.028Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.hex.pm", "cpes": ["cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "modules": ["'Elixir.MDEx'", "comrak_nif"], "packageName": "mdex", "packageURL": "pkg:hex/mdex", "product": "mdex", "programFiles": ["native/comrak_nif/src/lumis_adapter.rs"], "programRoutines": [{"name": "comrak_nif::lumis_adapter::LumisAdapter::parse_custom_attributes"}, {"name": "comrak_nif::lumis_adapter::LumisAdapter::highlight_lines_config"}, {"name": "comrak_nif::lumis_adapter::LumisAdapter::write_highlighted"}, {"name": "'Elixir.MDEx':to_html/2"}], "repo": "https://github.com/leandrocp/mdex", "vendor": "leandrocp", "versions": [{"lessThan": "0.12.3", "status": "affected", "version": "0.11.3", "versionType": "semver"}]}, {"collectionURL": "https://github.com", "cpes": ["cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "modules": ["'Elixir.MDEx'", "comrak_nif"], "packageName": "leandrocp/mdex", "packageURL": "pkg:github/leandrocp/mdex", "product": "mdex", "programFiles": ["native/comrak_nif/src/lumis_adapter.rs"], "programRoutines": [{"name": "comrak_nif::lumis_adapter::LumisAdapter::parse_custom_attributes"}, {"name": "comrak_nif::lumis_adapter::LumisAdapter::highlight_lines_config"}, {"name": "comrak_nif::lumis_adapter::LumisAdapter::write_highlighted"}, {"name": "'Elixir.MDEx':to_html/2"}], "repo": "https://github.com/leandrocp/mdex", "vendor": "leandrocp", "versions": [{"lessThan": "6ed94d905f97af188323f042698ae841c02293b4", "status": "affected", "version": "0d7ffc84ea742e1daf666426814e5bb6d0499433", "versionType": "git"}]}, {"collectionURL": "https://repo.hex.pm", "cpes": ["cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "modules": ["'Elixir.MDExNative.Comrak'", "mdex_native_nif"], "packageName": "mdex_native", "packageURL": "pkg:hex/mdex_native", "product": "mdex_native", "programFiles": ["native/mdex_native_nif/src/lumis_adapter.rs"], "programRoutines": [{"name": "mdex_native_nif::lumis_adapter::LumisAdapter::parse_custom_attributes"}, {"name": "mdex_native_nif::lumis_adapter::LumisAdapter::highlight_lines_config"}, {"name": "mdex_native_nif::lumis_adapter::LumisAdapter::write_highlighted"}, {"name": "'Elixir.MDExNative.Native':document_to_html_with_options/2"}, {"name": "'Elixir.MDExNative.Comrak':document_to_html/2"}], "repo": "https://github.com/leandrocp/mdex_native", "vendor": "leandrocp", "versions": [{"lessThan": "0.2.3", "status": "affected", "version": "0.1.0", "versionType": "semver"}]}, {"collectionURL": "https://github.com", "cpes": ["cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "modules": ["'Elixir.MDExNative.Comrak'", "mdex_native_nif"], "packageName": "leandrocp/mdex_native", "packageURL": "pkg:github/leandrocp/mdex_native", "product": "mdex_native", "programFiles": ["native/mdex_native_nif/src/lumis_adapter.rs"], "programRoutines": [{"name": "mdex_native_nif::lumis_adapter::LumisAdapter::parse_custom_attributes"}, {"name": "mdex_native_nif::lumis_adapter::LumisAdapter::highlight_lines_config"}, {"name": "mdex_native_nif::lumis_adapter::LumisAdapter::write_highlighted"}, {"name": "'Elixir.MDExNative.Native':document_to_html_with_options/2"}, {"name": "'Elixir.MDExNative.Comrak':document_to_html/2"}], "repo": "https://github.com/leandrocp/mdex_native", "vendor": "leandrocp", "versions": [{"lessThan": "798a363b4339f6f7162ec8437c4c9f9b5ae6fbf3", "status": "affected", "version": "956528c5e31746253347029e810a969ab916fd27", "versionType": "git"}]}], "configurations": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>The vulnerable code path is only reachable when MDEx is configured with a syntax-highlighting formatter (for example <tt>syntax_highlight: [formatter: {:html_inline, ...}]</tt> or <tt>{:html_linked, ...}</tt>) and with full info-string forwarding enabled (<tt>render: [full_info_string: true]</tt>). Full info-string forwarding is required for comrak to hand the <tt>highlight_lines_class</tt> attribute to the highlighter, so any application that uses the line-highlighting attributes already has it enabled.</p>"}], "value": "The vulnerable code path is only reachable when MDEx is configured with a syntax-highlighting formatter (for example syntax_highlight: [formatter: {:html_inline, ...}] or {:html_linked, ...}) and with full info-string forwarding enabled (render: [full_info_string: true]). Full info-string forwarding is required for comrak to hand the highlight_lines_class attribute to the highlighter, so any application that uses the line-highlighting attributes already has it enabled."}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*", "versionEndExcluding": "0.12.3", "versionStartIncluding": "0.11.3", "vulnerable": true}], "negate": false, "operator": "AND"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*", "versionEndExcluding": "0.2.3", "versionStartIncluding": "0.1.0", "vulnerable": true}], "negate": false, "operator": "AND"}], "operator": "OR"}], "credits": [{"lang": "en", "type": "finder", "value": "Peter Ullrich"}, {"lang": "en", "type": "remediation developer", "value": "Leandro Pereira"}, {"lang": "en", "type": "analyst", "value": "Jonatan M\u00e4nnchen / EEF"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in leandrocp MDEx allows stored or reflected cross-site scripting via attacker-controlled Markdown.</p><p>When syntax highlighting and full info-string forwarding (<tt>render: [full_info_string: true]</tt>) are enabled, the Lumis adapter copies the value of a code fence's <tt>highlight_lines_class</tt> info-string attribute, unescaped, into the <tt>class</tt> attribute of every rendered line. <tt>comrak_nif::lumis_adapter::LumisAdapter::parse_custom_attributes</tt> in <tt>native/comrak_nif/src/lumis_adapter.rs</tt> shlex-parses the info string and stores each <tt>key=value</tt> pair verbatim, <tt>highlight_lines_config</tt> pulls <tt>highlight_lines_class</tt> into the per-line class value, and <tt>write_highlighted</tt> interpolates that value directly into the <tt>class</tt> attribute of the per-line <tt>&lt;div&gt;</tt>. A single-quoted shell token preserves an inner double quote through shlex parsing, so a value such as <tt>'&quot;&gt;&lt;script&gt;alert(1)&lt;/script&gt;'</tt> terminates the <tt>class</tt> attribute early and the markup that follows is emitted as live HTML.</p><p>An attacker who can submit Markdown (through comments, posts, wiki pages, documentation, or any user-generated content) can inject arbitrary HTML and JavaScript that runs in the browser of every user who views the rendered output, enabling session theft, account takeover, and other client-side attacks. No authentication or special privileges are required.</p><p>The vulnerable native code originally shipped inside <tt>mdex</tt> (in <tt>native/comrak_nif/src/lumis_adapter.rs</tt>) and was later extracted into the separate <tt>mdex_native</tt> package (<tt>native/mdex_native_nif/src/lumis_adapter.rs</tt>), where it remains unpatched.</p><p>This issue affects mdex from 0.11.3 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in leandrocp MDEx allows stored or reflected cross-site scripting via attacker-controlled Markdown.\n\nWhen syntax highlighting and full info-string forwarding (render: [full_info_string: true]) are enabled, the Lumis adapter copies the value of a code fence's highlight_lines_class info-string attribute, unescaped, into the class attribute of every rendered line. comrak_nif::lumis_adapter::LumisAdapter::parse_custom_attributes in native/comrak_nif/src/lumis_adapter.rs shlex-parses the info string and stores each key=value pair verbatim, highlight_lines_config pulls highlight_lines_class into the per-line class value, and write_highlighted interpolates that value directly into the class attribute of the per-line <div>. A single-quoted shell token preserves an inner double quote through shlex parsing, so a value such as '\"><script>alert(1)</script>' terminates the class attribute early and the markup that follows is emitted as live HTML.\n\nAn attacker who can submit Markdown (through comments, posts, wiki pages, documentation, or any user-generated content) can inject arbitrary HTML and JavaScript that runs in the browser of every user who views the rendered output, enabling session theft, account takeover, and other client-side attacks. No authentication or special privileges are required.\n\nThe vulnerable native code originally shipped inside mdex (in native/comrak_nif/src/lumis_adapter.rs) and was later extracted into the separate mdex_native package (native/mdex_native_nif/src/lumis_adapter.rs), where it remains unpatched.\n\nThis issue affects mdex from 0.11.3 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3."}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "metrics": [{"cvssV4_0": {"attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "baseScore": 2.3, "baseSeverity": "LOW", "privilegesRequired": "NONE", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "PASSIVE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "shortName": "EEF", "dateUpdated": "2026-06-29T18:50:17.185Z"}, "references": [{"tags": ["vendor-advisory", "related"], "url": "https://github.com/leandrocp/mdex_native/security/advisories/GHSA-v664-pmxr-mxxx"}, {"tags": ["related"], "url": "https://cna.erlef.org/cves/CVE-2026-53427.html"}, {"tags": ["related"], "url": "https://osv.dev/vulnerability/EEF-CVE-2026-53427"}, {"tags": ["patch"], "url": "https://github.com/leandrocp/mdex_native/commit/798a363b4339f6f7162ec8437c4c9f9b5ae6fbf3"}], "source": {"discovery": "EXTERNAL"}, "title": "Cross-site scripting in MDEx via unescaped highlight_lines_class code-fence attribute", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Do not enable full info-string forwarding (<tt>render: [full_info_string: true]</tt>) when rendering untrusted Markdown, which prevents the <tt>highlight_lines_class</tt> attribute from reaching the highlighter. Alternatively, restrict <tt>highlight_lines_class</tt> values to a safe character set (for example <tt>[A-Za-z0-9_- ]</tt>) before rendering.</p>"}], "value": "Do not enable full info-string forwarding (render: [full_info_string: true]) when rendering untrusted Markdown, which prevents the highlight_lines_class attribute from reaching the highlighter. Alternatively, restrict highlight_lines_class values to a safe character set (for example [A-Za-z0-9_- ]) before rendering."}], "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-29T19:18:13.166991Z", "id": "CVE-2026-53427", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-29T19:19:28.028Z"}}]}}

{}

{}

{}

{}