XSS Vulnerability in mdex Affects Quill Delta Output by LeandroCP
CVE-2026-54889

5.1MEDIUM

Key Information:

Vendor: Leandrocp
Status: Mdex
Vendor: CVE Published:; 29 June 2026

What is CVE-2026-54889?

The mdex library, created by LeandroCP, is susceptible to an improper neutralization of input during web page generation, which allows for cross-site scripting (XSS). This vulnerability arises from the 'to_delta/2' function that converts Markdown into Quill Delta without appropriately sanitizing URL schemes. An attacker can manipulate Markdown content to include unsanitized 'javascript:' URLs, which are then directly rendered in HTML. This can lead to execution of JavaScript in the context of the user's browser when they interact with affected 'a' or 'img' elements, such as through clicks on links or viewing images. The issue impacts versions of mdex from 0.8.3 up to, but not including, 0.13.2.

Affected Version(s)

mdex 0.8.3 < 0.13.2

mdex 9852db2456fdc9d856eb636603a7f608e22e3793 < 2817147f5b87ce7186aa604c9ee72499485b8f2f

References

https://github.com/leandrocp/mdex/security/advisories/GHS...

vendor-advisoryrelated

https://cna.erlef.org/cves/CVE-2026-54889.html

https://osv.dev/vulnerability/EEF-CVE-2026-54889

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 29, 2026
Vulnerability Reserved
Jun 16, 2026

Credit

Peter Ullrich

Leandro Pereira

Jonatan Männchen / EEF

CVE-2026-54889 Data

JSON