CVE-2026-53427 PUBLISHED

Cross-site scripting in MDEx via unescaped highlight_lines_class code-fence attribute

Assigner: EEF
Reserved: 09.06.2026 Published: 29.06.2026 Updated: 30.06.2026

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in leandrocp MDEx allows stored or reflected cross-site scripting via attacker-controlled Markdown.

When syntax highlighting and full info-string forwarding (render: [full_info_string: true]) are enabled, the Lumis adapter copies the value of a code fence's highlight_lines_class info-string attribute, unescaped, into the class attribute of every rendered line. comrak_nif::lumis_adapter::LumisAdapter::parse_custom_attributes in native/comrak_nif/src/lumis_adapter.rs shlex-parses the info string and stores each key=value pair verbatim, highlight_lines_config pulls highlight_lines_class into the per-line class value, and write_highlighted interpolates that value directly into the class attribute of the per-line <div>. A single-quoted shell token preserves an inner double quote through shlex parsing, so a value such as '"><script>alert(1)</script>' terminates the class attribute early and the markup that follows is emitted as live HTML.

An attacker who can submit Markdown (through comments, posts, wiki pages, documentation, or any user-generated content) can inject arbitrary HTML and JavaScript that runs in the browser of every user who views the rendered output, enabling session theft, account takeover, and other client-side attacks. No authentication or special privileges are required.

The vulnerable native code originally shipped inside mdex (in native/comrak_nif/src/lumis_adapter.rs) and was later extracted into the separate mdex_native package (native/mdex_native_nif/src/lumis_adapter.rs), where it remains unpatched.

This issue affects mdex from 0.11.3 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
CVSS Score: 2.3

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	None	Confidentiality	Low
Attack Complexity	Low	Integrity	None	Integrity	Low
Attack Requirements	Present	Availability	None	Availability	None
Privileges Required	None
User Interaction	Passive

CVSS 4.0

Product Status

Vendor	leandrocp
Product	mdex
Versions	Default: unaffected affected from 0.11.3 to 0.12.3 (excl.)

Vendor	leandrocp
Product	mdex
Versions	Default: unaffected affected from 0d7ffc84ea742e1daf666426814e5bb6d0499433 to 6ed94d905f97af188323f042698ae841c02293b4 (excl.)

Vendor	leandrocp
Product	mdex_native
Versions	Default: unaffected affected from 0.1.0 to 0.2.3 (excl.)

Vendor	leandrocp
Product	mdex_native
Versions	Default: unaffected affected from 956528c5e31746253347029e810a969ab916fd27 to 798a363b4339f6f7162ec8437c4c9f9b5ae6fbf3 (excl.)

Affected Configurations

The vulnerable code path is only reachable when MDEx is configured with a syntax-highlighting formatter (for example syntax_highlight: [formatter: {:html_inline, ...}] or {:html_linked, ...}) and with full info-string forwarding enabled (render: [full_info_string: true]). Full info-string forwarding is required for comrak to hand the highlight_lines_class attribute to the highlighter, so any application that uses the line-highlighting attributes already has it enabled.

Workarounds

Do not enable full info-string forwarding (render: [full_info_string: true]) when rendering untrusted Markdown, which prevents the highlight_lines_class attribute from reaching the highlighter. Alternatively, restrict highlight_lines_class values to a safe character set (for example [A-Za-z0-9_- ]) before rendering.

Credits

Peter Ullrich finder
Leandro Pereira remediation developer
Jonatan Männchen / EEF analyst

References

Problem Types

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE

Impacts

CAPEC-63 Cross-Site Scripting (XSS)