Threat Intelligence Database

A cross-site scripting (XSS) vulnerability exists in leandrocp mdex versions 0.8.3 up to but not including 0.13.2. The vulnerability arises because the software improperly neutralizes input during web page generation by copying URLs from Markdown directly into Quill Delta attributes without validating or normalizing the URL scheme. This allows an attacker controlling Markdown input to inject javascript: URLs that execute script in the browser when rendered by downstream HTML renderers. The issue primarily affects link and wikilink nodes, with image nodes posing a lower risk due to modern browser restrictions on javascript: in image sources.

CVE-2026-54888 is an uncontrolled recursion vulnerability in the leandrocp mdex package that can cause a denial of service via deeply nested Markdown input. The vulnerability arises from two mutually recursive Rust functions used to convert between Elixir and Comrak AST representations without enforcing a maximum recursion depth. This leads to a stack overflow and process termination when rendering malicious Markdown documents. The issue affects mdex versions from 0.3.0 before 0.12.3 and mdex_native versions from 0.1.0 before 0.2.3. No special privileges are required to exploit this vulnerability.

CVE-2026-53429 is a memory leak vulnerability in the leandrocp mdex and mdex_native packages. The issue occurs when rendering documents containing escaped-tag nodes, causing native memory to be permanently leaked. This leak happens because the native code calls Box::leak on strings, preventing memory from being freed for the lifetime of the process. Applications rendering user-supplied content with mdex or mdex_native are vulnerable to denial of service due to unbounded memory exhaustion. The vulnerability affects mdex versions from 0.11.0 up to but not including 0.12.3, and mdex_native versions from 0.1.0 up to but not including 0.2.3. No official fix or patch is currently documented.

CVE-2026-53426 is a high-severity vulnerability in the leandrocp mdex library versions 0.4.3 up to but not including 0.13.2. It involves allocation of resources without limits or throttling, where attacker-controlled input causes excessive atom creation in the Erlang VM. This leads to exhaustion of the atom table and crashes the entire Erlang VM, resulting in an unauthenticated denial-of-service. The vulnerability arises from the mdex.parse_document/2 function processing untrusted JSON input that triggers permanent atom allocation via String.to_atom/1 calls. No official patch or remediation level is currently documented.

Memory Allocation with Excessive Size Value vulnerability in leandrocp mdex allows an unauthenticated attacker to cause a denial of service through unbounded memory allocation. comrak_nif::lumis_adapter::LumisAdapter::parse_highlight_lines in native/comrak_nif/src/lumis_adapter.rs eagerly expands a user-controlled inclusive line range from a fenced code block's highlight_lines decorator into a Vec<usize>, pushing one element per integer in the range with no upper bound on the range size. An attacker who can supply Markdown that an application renders with MDEx.to_html/2 (for example a comment, chat message, or wiki page) can embed a code block whose info string is rust highlight_lines="1-100000000", forcing the native adapter to allocate roughly 8 bytes per line in the range. A payload that differs by only a few bytes can therefore allocate hundreds of megabytes, and a sufficiently large range (for example 1-2000000000) exhausts host memory and aborts the BEAM, denying service to every user of the rendering process. The per-line write loop additionally tests membership with a linear scan over the same vector, degrading rendering to a quadratic cost even for ranges that do not immediately exhaust memory. The vulnerable native code originally shipped inside mdex (in native/comrak_nif/src/lumis_adapter.rs) and was later extracted into the separate mdex_native package (native/mdex_native_nif/src/lumis_adapter.rs), where it remains unpatched. This issue affects mdex from 0.11.0 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in leandrocp MDEx allows stored or reflected cross-site scripting via attacker-controlled Markdown. When syntax highlighting and full info-string forwarding (render: [full_info_string: true]) are enabled, the Lumis adapter copies the value of a code fence's highlight_lines_class info-string attribute, unescaped, into the class attribute of every rendered line. comrak_nif::lumis_adapter::LumisAdapter::parse_custom_attributes in native/comrak_nif/src/lumis_adapter.rs shlex-parses the info string and stores each key=value pair verbatim, highlight_lines_config pulls highlight_lines_class into the per-line class value, and write_highlighted interpolates that value directly into the class attribute of the per-line <div>. A single-quoted shell token preserves an inner double quote through shlex parsing, so a value such as '"><script>alert(1)</script>' terminates the class attribute early and the markup that follows is emitted as live HTML. An attacker who can submit Markdown (through comments, posts, wiki pages, documentation, or any user-generated content) can inject arbitrary HTML and JavaScript that runs in the browser of every user who views the rendered output, enabling session theft, account takeover, and other client-side attacks. No authentication or special privileges are required. The vulnerable native code originally shipped inside mdex (in native/comrak_nif/src/lumis_adapter.rs) and was later extracted into the separate mdex_native package (native/mdex_native_nif/src/lumis_adapter.rs), where it remains unpatched. This issue affects mdex from 0.11.3 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3.