The vulnerability in leandrocp mdex (CVE-2026-54889) is an improper neutralization of input during web page generation, classified as CWE-79 (Cross-site Scripting). The function 'Elixir.MDEx':to_delta/2 converts Markdown into Quill Delta format, and 'Elixir.MDEx.DeltaConverter':default_convert_node/3 copies URLs from Markdown nodes directly into Delta attributes without applying any scheme allowlist or normalization. This allows malicious Markdown input containing javascript: URLs to persist into the Delta output. When this Delta is rendered to HTML by downstream renderers such as quill-delta-to-html or the Quill client, the javascript: scheme executes in the browser context of users viewing the content. The vulnerability affects mdex versions starting at 0.8.3 and before 0.13.2.

An attacker who can supply Markdown content can inject javascript: URLs that execute arbitrary JavaScript in the browsers of users who view the rendered content. This can lead to theft of cookies, session tokens, or other malicious actions executed in the context of the vulnerable site. The link and wikilink vectors are the most impactful because javascript: URLs in href attributes execute on click. The image vector is less impactful as modern browsers typically block javascript: in image src attributes. The CVSS 4.0 base score is 5.1 (medium severity), reflecting network attack vector, low complexity, no privileges required, user interaction needed, and low impact on confidentiality, integrity, and availability.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or patch has been documented at this time. Until a fix is available, users should avoid rendering untrusted Markdown content with mdex or ensure that downstream renderers apply strict URL scheme allowlists and normalization to prevent javascript: URLs from executing. Applying input validation or sanitization on Markdown input before processing can reduce risk. Monitor vendor channels for updates regarding an official fix.