CVE-2026-46492
7.2 HIGHmd-fileserver allows for local viewing of markdown files in a browser
Published: 2026-06-09 · Last updated: 2026-06-09
Severity and scoring
- CVSS
- 7.2 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
- CWE
- CWE-80, CWE-87
Description
md-fileserver allows for local viewing of markdown files in a browser. Prior to version 1.10.3, a cross-site scripting (XSS) vulnerability exists in the application’s Markdown rendering logic. When user-supplied Markdown content is rendered, embedded raw HTML—including <script> tags—is processed and injected into the resulting page without sanitization, allowing arbitrary JavaScript execution in the context of the affected domain. This issue has been patched in version 1.10.3.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-46492
- [Other]https://github.com/commenthol/md-fileserver/releases/tag/v1.10.3
- [Other]https://github.com/commenthol/md-fileserver/security/advisories/GHSA-32q2-hhr5-6qvv
- [Other]https://github.com/commenthol/md-fileserver/security/advisories/GHSA-32q2-hhr5-6qvv
Related CVEs
Same CWE
- CVE-2026-34033 — Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache Answer (5.4 MEDIUM)
- CVE-2026-25688 — Improper Neutralization of Alternate XSS Syntax vulnerability in Apache Answer (6.1 MEDIUM)
- CVE-2026-11511 — A weakness has been identified in Bolt CMS up to 3.7.5 (3.5 LOW)
- CVE-2026-9646 — A reflected cross-site scripting issue exists in URL handling (6.1 MEDIUM)
- CVE-2026-44839 — RabbitMQ is a messaging and streaming broker (4.8 MEDIUM)