Description
Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in leandrocp mdex allows cross-site scripting via unsanitized URL schemes in Quill Delta output.

'Elixir.MDEx':to_delta/2 converts Markdown into a Quill Delta. 'Elixir.MDEx.DeltaConverter':default_convert_node/3 in lib/mdex/delta_converter.ex copies the URL of a link, wikilink, or image node directly from the parsed Markdown into the Delta "link" or "image" attribute without applying a scheme allowlist or any normalization.

An attacker who controls the Markdown text can supply a javascript: URL (for example [click](javascript:alert(document.cookie))) that survives verbatim into the Delta attribute. When the Delta is rendered to HTML by a downstream renderer (such as quill-delta-to-html or the Quill client), the attribute becomes an <a href> or <img src>, and the javascript: scheme executes in the browser of anyone who views the rendered content. The link and wikilink cases are the strongest vectors because javascript: in an href executes on click; the image case is lower impact because javascript: in <img src> generally does not execute in modern browsers.

This issue affects mdex: from 0.8.3 before 0.13.2.
Published: 2026-06-29
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is the uncontrolled inclusion of arbitrary URL schemes in the Quill Delta output by the mdex library. When the Delta is rendered by downstream tools such as quill‑delta‑to‑html or the Quill client, a URL containing a javascript: scheme is turned into an <a> or <img> element that executes code in the viewer’s browser. An attacker who can supply Markdown text can therefore inject javascript: links or images, leading to the execution of arbitrary scripts, cookie theft, and other client‑side compromise. The impact is a classic XSS that affects the confidentiality and integrity of the rendered content and individuals who view it.

Affected Systems

The affected product is leandrocp mdex. Versions impacted are 0.8.3 through 0.13.1. Vendors should verify the exact build they are running and plan updates accordingly.

Risk and Exploitability

The calculated CVSS score of 5.1 indicates a medium severity. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog. Because the flaw is in untrusted input handling and the exploit requires only that the attacker supply Markdown text, the likelihood of successful exploitation is high in contexts where mdex output is rendered in a web page. The attack is delivered via a yet‑unfiltered JavaScript URL within the Delta, making it trivial to craft.

Generated by OpenCVE AI on June 29, 2026 at 20:21 UTC.

Remediation

Vendor Workaround

Sanitize the Quill Delta produced by 'Elixir.MDEx':to_delta/2 before rendering it: drop or blank any "link" or "image" value whose URL scheme is not in a safe allowlist (http, https, mailto, tel).

OpenCVE Recommended Actions

  • Upgrade leandrocp mdex to version 0.13.2 or later which implements a URL scheme allowlist.
  • Sanitize the Delta output before rendering: strip or replace any link or image URL whose scheme is not http, https, mailto, or tel. This can be done by filtering the 'link' and 'image' attributes in the Delta structure.
  • If upgrading or sanitizing the Delta output is not feasible, restrict Markdown editing to trusted users or disable link and image support entirely while the issue is unresolved.

Generated by OpenCVE AI on June 29, 2026 at 20:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in leandrocp mdex allows cross-site scripting via unsanitized URL schemes in Quill Delta output. 'Elixir.MDEx':to_delta/2 converts Markdown into a Quill Delta. 'Elixir.MDEx.DeltaConverter':default_convert_node/3 in lib/mdex/delta_converter.ex copies the URL of a link, wikilink, or image node directly from the parsed Markdown into the Delta "link" or "image" attribute without applying a scheme allowlist or any normalization. An attacker who controls the Markdown text can supply a javascript: URL (for example [click](javascript:alert(document.cookie))) that survives verbatim into the Delta attribute. When the Delta is rendered to HTML by a downstream renderer (such as quill-delta-to-html or the Quill client), the attribute becomes an <a href> or <img src>, and the javascript: scheme executes in the browser of anyone who views the rendered content. The link and wikilink cases are the strongest vectors because javascript: in an href executes on click; the image case is lower impact because javascript: in <img src> generally does not execute in modern browsers. This issue affects mdex: from 0.8.3 before 0.13.2.
Title Unsanitized URL schemes in MDEx Quill Delta output allow javascript: injection (XSS)
First Time appeared Leandrocp
Leandrocp mdex
Weaknesses CWE-79
CPEs cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*
Vendors & Products Leandrocp
Leandrocp mdex
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Leandrocp Mdex
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-06-29T20:48:52.206Z

Reserved: 2026-06-16T10:47:13.915Z

Link: CVE-2026-54889

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T20:30:03Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')