Cross-site Scripting Vulnerability in mdex and mdex_native by leandrocp
CVE-2026-53427

2.3LOW

Key Information:

Vendor: Leandrocp
Status: Mdex; Mdex Native
Vendor: CVE Published:; 29 June 2026

What is CVE-2026-53427?

A Cross-site Scripting (XSS) vulnerability exists in mdex and mdex_native due to improper handling of Markdown input. This allows attackers to inject malicious HTML and JavaScript code through user-generated content such as comments or posts. Consequently, any user accessing the rendered output may experience unauthorized actions, including session hijacking and account compromise. The issue arises from flaws in how the syntax highlighting features of the Lumis adapter are implemented, resulting in unsafe handling of code attribute values. Updates have been issued, but specific versions remain unpatched, putting users at risk.

Affected Version(s)

mdex 0.11.3 < 0.12.3

mdex 0d7ffc84ea742e1daf666426814e5bb6d0499433 < 6ed94d905f97af188323f042698ae841c02293b4

mdex_native 0.1.0 < 0.2.3

References

https://github.com/leandrocp/mdex_native/security/advisor...

vendor-advisoryrelated

https://cna.erlef.org/cves/CVE-2026-53427.html

https://osv.dev/vulnerability/EEF-CVE-2026-53427

CVSS V4

Score:

2.3

Severity:

LOW

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 29, 2026
Vulnerability Reserved
Jun 9, 2026

Credit

Peter Ullrich

Leandro Pereira

Jonatan Männchen / EEF

CVE-2026-53427 Data

JSON

Leandrocp

What is CVE-2026-53427?

Affected Version(s)

References

CVSS V4

Timeline

Credit