CVE-2026-30691

Vulnerability

A stored Cross-Site Scripting (XSS) vulnerability exists in the @cyntler/react-doc-viewer package version 1.17.1. The flaw resides in the TXTRenderer component (src/renderers/txt/index.tsx), which renders .txt file content by explicitly casting currentDocument?.fileData as a ReactNode without any sanitization or escaping [1][2]. This allows arbitrary HTML and JavaScript to be executed when the file is displayed.

Exploitation

An attacker creates a specially crafted .txt file containing malicious HTML/JavaScript (e.g., ``). The file is then loaded into the DocViewer component. No authentication or special network position is required beyond the ability to upload or provide the file to a victim. When the victim opens the file, the script executes in their browser context [1][2].

Impact

Successful exploitation results in arbitrary JavaScript execution in the victim's browser. This can lead to session hijacking, theft of cookies, unauthorized actions performed on behalf of the user, website defacement, and phishing attacks [2]. Both information disclosure and code execution are possible within the browser's security context.

Mitigation

As of the published date (2026-05-20), no official patch has been released. Users should sanitize file content before passing it to the viewer, for example by using a library like DOMPurify [2]. Alternatively, avoid using the TXTRenderer for untrusted .txt files. Monitor the repository for updates.