VYPR
\n\n```\nOpen it on browser.\n\"image\"\nView the HTTP request in Burp Collaborator.\n\"image\"\n\n\n### Impact\nSuccessful exploitation allows an attacker to execute arbitrary JavaScript in the victim’s browser, leading to:\n- Session hijacking\n- Account takeover\n- Credential theft\n- Defacement or injection of malicious content\n- Exfiltration of sensitive data via API tokens, CSRF tokens, or user information\n\nThis affects all users who can view Markdown content within the application.","additionalType":"https://schema.org/SoftwareApplication","sameAs":["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-46492"]},"keywords":"CVE-2026-46492, high, Commenthol Md Fileserver","mentions":[{"@type":"SoftwareApplication","name":"Md Fileserver","applicationCategory":"SecurityApplication","publisher":{"@type":"Organization","name":"Commenthol"}}],"isAccessibleForFree":true},{"@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://portal.vyprsec.ai/"},{"@type":"ListItem","position":2,"name":"CVEs","item":"https://portal.vyprsec.ai/cves"},{"@type":"ListItem","position":3,"name":"CVE-2026-46492","item":"https://portal.vyprsec.ai/cves/CVE-2026-46492"}]}]}
← All advisories
High severity7.2GHSA Advisory· Published May 21, 2026· Updated May 21, 2026

md-fileserver: Stored/Reflected XSS when viewing Markdown (raw HTML allowed)

CVE-2026-46492

Description

Summary

A cross-site scripting (XSS) vulnerability exists in the application’s Markdown rendering logic. When user-supplied Markdown content is rendered, embedded raw HTML—including

Open it on browser.

View the HTTP request in Burp Collaborator.

### Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim’s browser, leading to:
- Session hijacking
- Account takeover
- Credential theft
- Defacement or injection of malicious content
- Exfiltration of sensitive data via API tokens, CSRF tokens, or user information

This affects all users who can view Markdown content within the application.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A stored/reflected XSS vulnerability in Markdown rendering allows arbitrary JavaScript execution via unsanitized raw HTML, leading to session hijacking and data theft.

Vulnerability

Overview

The application's Markdown rendering logic contains a cross-site scripting (XSS) vulnerability because the markdown-it library is configured with html: true in config.js (lines 26–30), allowing raw HTML to pass through. The rendering function in lib/markd.js (lines 33–58) does not sanitize the output, and the resulting HTML is injected into the page template via <%= markdown %> without encoding [1][2]. This means any ` tags or event handlers (e.g., `) embedded in user-supplied Markdown are executed in the victim's browser.

Exploitation

An attacker can craft a Markdown file containing malicious HTML, such as a ` block that exfiltrates sensitive data. When a victim views or previews this Markdown, the script executes in the context of the affected domain. No special privileges are required beyond the ability to upload or share Markdown content; any user who can view the rendered output is a potential target [1][2]. The proof-of-concept demonstrates fetching /etc/passwd` with credentials and sending the result to an attacker-controlled server.

Impact

Successful exploitation allows arbitrary JavaScript execution, enabling session hijacking, account takeover, credential theft, defacement, and exfiltration of API tokens, CSRF tokens, or other sensitive data. All users who can view Markdown content within the application are affected [1][2].

Mitigation

As of the publication date, no patch has been announced. Mitigation requires disabling raw HTML in the Markdown renderer (setting html: false in the markdown-it configuration) or implementing a robust HTML sanitizer (e.g., DOMPurify) before rendering. Output encoding in the template should also be enforced [1][2].

References
  1. CVE-2026-46492 - GitHub Advisory Database
  2. Stored/Reflected XSS when viewing Markdown (raw HTML allowed)

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.