GHSA-h5jc-78hr-3pc9: Sveltia CMS: Stored XSS in Markdown/RichText preview via unsandboxed same-origin iframe

A stored cross-site scripting (XSS) vulnerability affected the Markdown/RichText field preview renderer in Sveltia CMS.

The DOMPurify sanitization configuration used for Markdown previews explicitly permitted iframe elements without enforcing a sandbox attribute or restricting iframe sources. Sanitized Markdown output was then inserted into the CMS preview DOM as raw HTML. Because no sandboxing or source validation was applied, a Markdown field containing an iframe whose src pointed to a same-origin uploaded or publicly accessible HTML asset would render an unsandboxed iframe. JavaScript in the framed document could then access the parent CMS window via the browser’s same-origin policy, allowing it to read and write the parent window’s state, DOM, and browser storage, and to trigger actions in the CMS context.

The practical impact is limited in currently supported Sveltia CMS usage because the CMS is intended for a single developer or a small trusted team, and open authoring / untrusted multi-user authoring is not currently implemented. Exploitation requires the ability to place malicious content into the repository or content source that the CMS loads.