{"affected":[{"package":{"ecosystem":"Hex","name":"mdex","purl":"pkg:hex/mdex"},"ranges":[{"events":[{"introduced":"0.11.3"},{"fixed":"0.12.3"}],"type":"SEMVER"}],"versions":["0.11.3","0.11.4","0.11.5","0.11.6","0.11.7","0.12.0","0.12.1","0.12.2"]},{"package":{"ecosystem":"Hex","name":"mdex_native","purl":"pkg:hex/mdex_native"},"ranges":[{"events":[{"introduced":"0.1.0"},{"fixed":"0.2.3"}],"type":"SEMVER"}],"versions":["0.1.0","0.1.1","0.1.2","0.1.3","0.1.4","0.1.5","0.2.0","0.2.1","0.2.2"]},{"ranges":[{"events":[{"introduced":"0d7ffc84ea742e1daf666426814e5bb6d0499433"},{"fixed":"6ed94d905f97af188323f042698ae841c02293b4"}],"repo":"https://github.com/leandrocp/mdex","type":"GIT"}]},{"ranges":[{"events":[{"introduced":"956528c5e31746253347029e810a969ab916fd27"},{"fixed":"798a363b4339f6f7162ec8437c4c9f9b5ae6fbf3"}],"repo":"https://github.com/leandrocp/mdex_native","type":"GIT"}]}],"aliases":["GHSA-v664-pmxr-mxxx","CVE-2026-53427"],"credits":[{"name":"Peter Ullrich","type":"FINDER"},{"name":"Leandro Pereira","type":"REMEDIATION_DEVELOPER"},{"name":"Jonatan Männchen / EEF","type":"ANALYST"}],"database_specific":{"capec_ids":["CAPEC-63"],"cpe_ids":["cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*","cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*"],"cwe_ids":["CWE-79"]},"details":"## Summary\n\nImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in leandrocp MDEx allows stored or reflected cross-site scripting via attacker-controlled Markdown.\n\nWhen syntax highlighting and full info-string forwarding (render: \\[full\\_info\\_string: true\\]) are enabled, the Lumis adapter copies the value of a code fence's highlight\\_lines\\_class info-string attribute, unescaped, into the class attribute of every rendered line. comrak\\_nif::lumis\\_adapter::LumisAdapter::parse\\_custom\\_attributes in native/comrak\\_nif/src/lumis\\_adapter.rs shlex-parses the info string and stores each key=value pair verbatim, highlight\\_lines\\_config pulls highlight\\_lines\\_class into the per-line class value, and write\\_highlighted interpolates that value directly into the class attribute of the per-line <div>. A single-quoted shell token preserves an inner double quote through shlex parsing, so a value such as '\"><script>alert(1)</script>' terminates the class attribute early and the markup that follows is emitted as live HTML.\n\nAn attacker who can submit Markdown (through comments, posts, wiki pages, documentation, or any user-generated content) can inject arbitrary HTML and JavaScript that runs in the browser of every user who views the rendered output, enabling session theft, account takeover, and other client-side attacks. No authentication or special privileges are required.\n\nThe vulnerable native code originally shipped inside mdex (in native/comrak\\_nif/src/lumis\\_adapter.rs) and was later extracted into the separate mdex\\_native package (native/mdex\\_native\\_nif/src/lumis\\_adapter.rs), where it remains unpatched.\n\nThis issue affects mdex from 0.11.3 before 0.12.3, and mdex\\_native from 0.1.0 before 0.2.3.\n\n## Workaround\n\nDo not enable full info-string forwarding (render: \\[full\\_info\\_string: true\\]) when rendering untrusted Markdown, which prevents the highlight\\_lines\\_class attribute from reaching the highlighter. Alternatively, restrict highlight\\_lines\\_class values to a safe character set (for example \\[A-Za-z0-9\\_- \\]) before rendering.\n\n## Configuration\n\nThe vulnerable code path is only reachable when MDEx is configured with a syntax-highlighting formatter (for example syntax\\_highlight: \\[formatter: {:html\\_inline, ...}\\] or {:html\\_linked, ...}) and with full info-string forwarding enabled (render: \\[full\\_info\\_string: true\\]). Full info-string forwarding is required for comrak to hand the highlight\\_lines\\_class attribute to the highlighter, so any application that uses the line-highlighting attributes already has it enabled.","id":"EEF-CVE-2026-53427","modified":"2026-06-29T18:50:17.185Z","published":"2026-06-29T18:50:17.185Z","references":[{"type":"ADVISORY","url":"https://github.com/leandrocp/mdex_native/security/advisories/GHSA-v664-pmxr-mxxx"},{"type":"WEB","url":"https://cna.erlef.org/cves/CVE-2026-53427.html"},{"type":"FIX","url":"https://github.com/leandrocp/mdex_native/commit/798a363b4339f6f7162ec8437c4c9f9b5ae6fbf3"},{"type":"PACKAGE","url":"https://hex.pm/packages/mdex"},{"type":"PACKAGE","url":"https://hex.pm/packages/mdex_native"}],"related":[],"schema_version":"1.7.3","severity":[{"score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N","type":"CVSS_V4"}],"summary":"Cross-site scripting in MDEx via unescaped highlight_lines_class code-fence attribute","upstream":[]}