Uncontrolled Recursion Vulnerability in MDEx by leandrocp
CVE-2026-54888

6.9MEDIUM

Key Information:

Vendor: Leandrocp
Status: Mdex; Mdex Native
Vendor: CVE Published:; 29 June 2026

What is CVE-2026-54888?

The MDEx library is impacted by an uncontrolled recursion vulnerability that allows attackers to exploit deeply nested Markdown input, resulting in a denial of service. The underlying issue arises from the absence of a maximum nesting depth in the Rust functions processing the Markdown, leading to unbounded recursion. When an attacker crafts a Markdown document with extensive nesting of block quotes, it results in a stack overflow that cannot be handled by the Erlang runtime, causing the termination of the BEAM process and affecting all Elixir and Erlang processes on the node. This vulnerability is not limited by authentication or user privileges, making it a significant risk for all users of the affected versions.

Affected Version(s)

mdex 0.3.0 < 0.12.3

mdex d0bc7d55177727c61d188ef465178ab3b81f4f2c < 6ed94d905f97af188323f042698ae841c02293b4

mdex_native 0.1.0 < 0.2.3

References

https://github.com/leandrocp/mdex_native/security/advisor...

vendor-advisoryrelated

https://cna.erlef.org/cves/CVE-2026-54888.html

https://osv.dev/vulnerability/EEF-CVE-2026-54888

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 29, 2026
Vulnerability Reserved
Jun 16, 2026

Credit

Peter Ullrich

Leandro Pereira

Jonatan Männchen / EEF

CVE-2026-54888 Data

JSON

Leandrocp

What is CVE-2026-54888?

Affected Version(s)

References

CVSS V4

Timeline

Credit