The vulnerable code path is only reachable when MDEx is configured with a syntax-highlighting formatter (for example syntax_highlight: [formatter: {:html_inline, ...}] or {:html_linked, ...}) and with full info-string forwarding enabled (render: [full_info_string: true]). Full info-string forwarding is required for comrak to hand the highlight_lines_class attribute to the highlighter, so any application that uses the line-highlighting attributes already has it enabled.
"}],"value":"The vulnerable code path is only reachable when MDEx is configured with a syntax-highlighting formatter (for example syntax_highlight: [formatter: {:html_inline, ...}] or {:html_linked, ...}) and with full info-string forwarding enabled (render: [full_info_string: true]). Full info-string forwarding is required for comrak to hand the highlight_lines_class attribute to the highlighter, so any application that uses the line-highlighting attributes already has it enabled."}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*","versionEndExcluding":"0.12.3","versionStartIncluding":"0.11.3","vulnerable":true}],"negate":false,"operator":"AND"},{"cpeMatch":[{"criteria":"cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*","versionEndExcluding":"0.2.3","versionStartIncluding":"0.1.0","vulnerable":true}],"negate":false,"operator":"AND"}],"operator":"OR"}],"credits":[{"lang":"en","type":"finder","value":"Peter Ullrich"},{"lang":"en","type":"remediation developer","value":"Leandro Pereira"},{"lang":"en","type":"analyst","value":"Jonatan Männchen / EEF"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in leandrocp MDEx allows stored or reflected cross-site scripting via attacker-controlled Markdown.
When syntax highlighting and full info-string forwarding (render: [full_info_string: true]) are enabled, the Lumis adapter copies the value of a code fence's highlight_lines_class info-string attribute, unescaped, into the class attribute of every rendered line. comrak_nif::lumis_adapter::LumisAdapter::parse_custom_attributes in native/comrak_nif/src/lumis_adapter.rs shlex-parses the info string and stores each key=value pair verbatim, highlight_lines_config pulls highlight_lines_class into the per-line class value, and write_highlighted interpolates that value directly into the class attribute of the per-line <div>. A single-quoted shell token preserves an inner double quote through shlex parsing, so a value such as '"><script>alert(1)</script>' terminates the class attribute early and the markup that follows is emitted as live HTML.
An attacker who can submit Markdown (through comments, posts, wiki pages, documentation, or any user-generated content) can inject arbitrary HTML and JavaScript that runs in the browser of every user who views the rendered output, enabling session theft, account takeover, and other client-side attacks. No authentication or special privileges are required.
The vulnerable native code originally shipped inside mdex (in native/comrak_nif/src/lumis_adapter.rs) and was later extracted into the separate mdex_native package (native/mdex_native_nif/src/lumis_adapter.rs), where it remains unpatched.
This issue affects mdex from 0.11.3 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3.
"}],"value":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in leandrocp MDEx allows stored or reflected cross-site scripting via attacker-controlled Markdown.\n\nWhen syntax highlighting and full info-string forwarding (render: [full_info_string: true]) are enabled, the Lumis adapter copies the value of a code fence's highlight_lines_class info-string attribute, unescaped, into the class attribute of every rendered line. comrak_nif::lumis_adapter::LumisAdapter::parse_custom_attributes in native/comrak_nif/src/lumis_adapter.rs shlex-parses the info string and stores each key=value pair verbatim, highlight_lines_config pulls highlight_lines_class into the per-line class value, and write_highlighted interpolates that value directly into the class attribute of the per-lineDo not enable full info-string forwarding (render: [full_info_string: true]) when rendering untrusted Markdown, which prevents the highlight_lines_class attribute from reaching the highlighter. Alternatively, restrict highlight_lines_class values to a safe character set (for example [A-Za-z0-9_- ]) before rendering.
"}],"value":"Do not enable full info-string forwarding (render: [full_info_string: true]) when rendering untrusted Markdown, which prevents the highlight_lines_class attribute from reaching the highlighter. Alternatively, restrict highlight_lines_class values to a safe character set (for example [A-Za-z0-9_- ]) before rendering."}],"x_generator":{"engine":"cvelib 1.8.0"}}},"cveMetadata":{"assignerOrgId":"6b3ad84c-e1a6-4bf7-a703-f496b71e49db","assignerShortName":"EEF","cveId":"CVE-2026-53427","datePublished":"2026-06-29T18:50:17.185Z","dateReserved":"2026-06-09T11:01:47.529Z","dateUpdated":"2026-06-29T18:50:17.185Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"}