CVE-2026-54889 in mdex
Summary
by MITRE • 06/29/2026
Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in leandrocp mdex allows cross-site scripting via unsanitized URL schemes in Quill Delta output.
'Elixir.MDEx':to_delta/2 converts Markdown into a Quill Delta. 'Elixir.MDEx.DeltaConverter':default_convert_node/3 in lib/mdex/delta_converter.ex copies the URL of a link, wikilink, or image node directly from the parsed Markdown into the Delta "link" or "image" attribute without applying a scheme allowlist or any normalization.
An attacker who controls the Markdown text can supply a javascript: URL (for example [click](javascript:alert(document.cookie))) that survives verbatim into the Delta attribute. When the Delta is rendered to HTML by a downstream renderer (such as quill-delta-to-html or the Quill client), the attribute becomes an or , and the javascript: scheme executes in the browser of anyone who views the rendered content. The link and wikilink cases are the strongest vectors because javascript: in an href executes on click; the image case is lower impact because javascript: in generally does not execute in modern browsers.
This issue affects mdex: from 0.8.3 before 0.13.2.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/30/2026
This vulnerability represents a classic cross-site scripting flaw that demonstrates poor input sanitization practices in web application security. The issue occurs within the Elixir.MDEx library where Markdown text is converted to Quill Delta format, creating an attack vector through improper neutralization of input during web page generation. The vulnerability specifically affects versions prior to 0.13.2 and stems from a fundamental failure to validate URL schemes before incorporating them into structured data formats that will later be rendered as HTML content.
The technical implementation flaw resides in the Elixir.MDEx.DeltaConverter.default_convert_node/3 function which directly copies URL values from parsed Markdown nodes without any sanitization or scheme validation. This function processes link, wikilink, and image nodes by transferring their URL attributes verbatim into the Delta output structure, bypassing any security controls that should normally validate or normalize these values before they become part of the rendering pipeline. The absence of a scheme allowlist or normalization process creates an environment where malicious URLs can pass through undetected.
The operational impact of this vulnerability is significant as it enables attackers to inject malicious JavaScript code into web applications using the mdex library. When an attacker crafts Markdown text containing javascript: URLs such as [click](javascript:alert(document.cookie)), these URLs survive the conversion process and are embedded directly into the Delta output. The subsequent HTML rendering phase then executes this code in the context of any user who views the rendered content, creating a persistent XSS attack vector that can compromise user sessions and steal sensitive information.
The severity varies between different node types within the vulnerability scope, with link and wikilink nodes presenting the most dangerous attack surface since javascript: URLs in href attributes execute immediately when clicked. Image nodes present a lower impact vector because modern browsers typically do not execute javascript: URLs within img tags, though this protection is not universal across all rendering contexts. This classification aligns with CWE-79 which specifically addresses cross-site scripting vulnerabilities and the ATT&CK framework's T1203 (Exploitation for Client Execution) technique.
Organizations using affected versions of mdex should implement immediate mitigations including updating to version 0.13.2 or later where this vulnerability has been addressed, implementing custom URL sanitization layers before markdown conversion, and applying content security policies to prevent execution of inline scripts in rendered content. The fix typically involves introducing a scheme allowlist that only permits safe protocols like http, https, ftp, and mailto while rejecting potentially dangerous schemes such as javascript, data, vbscript, and others that could enable code execution. Additionally, comprehensive input validation should be implemented at multiple layers of the application to ensure that even if one validation point fails, subsequent security controls can prevent exploitation of similar vulnerabilities.
This vulnerability highlights the critical importance of validating all user-supplied content at multiple points in the data processing pipeline, particularly when converting between different data formats and rendering contexts. The issue demonstrates how seemingly benign input processing functions can create security risks when proper sanitization controls are omitted, emphasizing the need for defense-in-depth approaches to web application security that incorporate both server-side validation and client-side protection mechanisms.