CVE-2026-46492
md-fileserver: Stored/Reflected XSS when viewing Markdown (raw HTML allowed)
CVSS Score
7.2
EPSS Score
0.0%
EPSS Percentile
0th
md-fileserver allows for local viewing of markdown files in a browser. Prior to version 1.10.3, a cross-site scripting (XSS) vulnerability exists in the application’s Markdown rendering logic. When user-supplied Markdown content is rendered, embedded raw HTML—including <script> tags—is processed and injected into the resulting page without sanitization, allowing arbitrary JavaScript execution in the context of the affected domain. This issue has been patched in version 1.10.3.
| CWE | CWE-80 CWE-87 |
| Vendor | commenthol |
| Product | md-fileserver |
| Published | Jun 9, 2026 |
| Last Updated | Jun 9, 2026 |
Stay Ahead of the Next One
Get instant alerts for commenthol md-fileserver
Be the first to know when new high vulnerabilities affecting commenthol md-fileserver are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
Affected Versions
commenthol / md-fileserver
< 1.10.3