CVE-2026-54889

Unsanitized URL schemes in MDEx Quill Delta output allow javascript: injection (XSS)

Previous Page: « Back to all CVEs Next Page: See on OSV.dev »

Weakness Type (CWE)

CWE-79 — CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

• CAPEC-244 — CAPEC-244 XSS Targeting URI Placeholders

CVSS 4.0 Score

5.1

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Vulnerability description

Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in leandrocp mdex allows cross-site scripting via unsanitized URL schemes in Quill Delta output.

'Elixir.MDEx':to_delta/2 converts Markdown into a Quill Delta. 'Elixir.MDEx.DeltaConverter':default_convert_node/3 in lib/mdex/delta_converter.ex copies the URL of a link, wikilink, or image node directly from the parsed Markdown into the Delta "link" or "image" attribute without applying a scheme allowlist or any normalization.

An attacker who controls the Markdown text can supply a javascript: URL (for example [click](javascript:alert(document.cookie))) that survives verbatim into the Delta attribute. When the Delta is rendered to HTML by a downstream renderer (such as quill-delta-to-html or the Quill client), the attribute becomes an <a href> or <img src>, and the javascript: scheme executes in the browser of anyone who views the rendered content. The link and wikilink cases are the strongest vectors because javascript: in an href executes on click; the image case is lower impact because javascript: in <img src> generally does not execute in modern browsers.

This issue affects mdex: from 0.8.3 before 0.13.2.

Affected

pkg:hex/mdex

Module	Source File	Routine
MDEx	lib/mdex.ex	MDEx.to_delta/2
MDEx.DeltaConverter	lib/mdex/delta_converter.ex	MDEx.DeltaConverter.convert/2
		MDEx.DeltaConverter.default_convert_node/3

Status	Type	Version	Changes / Fixed in
affected	semver ⓘ	0.8.3	< 0.13.2

pkg:github/leandrocp/mdex

Module	Source File	Routine
MDEx	lib/mdex.ex	MDEx.to_delta/2
MDEx.DeltaConverter	lib/mdex/delta_converter.ex	MDEx.DeltaConverter.convert/2
		MDEx.DeltaConverter.default_convert_node/3

Status	Type	Version	Changes / Fixed in
affected	git ⓘ	9852db2456	< 2817147f5b

Configurations

The application must pass untrusted Markdown to 'Elixir.MDEx':to_delta/2 and then render the resulting Quill Delta to HTML with a renderer that maps the "link" and "image" attributes to href and src without applying its own URL scheme sanitization (for example quill-delta-to-html or the Quill client).

Workarounds

Sanitize the Quill Delta produced by 'Elixir.MDEx':to_delta/2 before rendering it: drop or blank any "link" or "image" value whose URL scheme is not in a safe allowlist (http, https, mailto, tel).

References

• https://github.com/leandrocp/mdex/security/advisories/GHSA-4383-7xfp-gpph vendor-advisory related
• https://osv.dev/vulnerability/EEF-CVE-2026-54889 related
• https://github.com/leandrocp/mdex/commit/2817147f5b87ce7186aa604c9ee72499485b8f2f patch

Credits

• Finder: Peter Ullrich
• Remediation developer: Leandro Pereira
• Analyst: Jonatan Männchen / EEF

CVE record as JSON:  GET /cves/CVE-2026-54889.json
OSV record as JSON:  GET /osv/EEF-CVE-2026-54889.json