CVE-2026-46492: md-fileserver: Stored/Reflected XSS when viewing Markdown (raw HTML allowed)

May 21, 2026 (updated June 9, 2026)

A cross-site scripting (XSS) vulnerability exists in the application’s Markdown rendering logic. When user-supplied Markdown content is rendered, embedded raw HTML—including tags—is processed and injected into the resulting page without sanitization, allowing arbitrary JavaScript execution in the context of the affected domain.

References

github.com/advisories/GHSA-32q2-hhr5-6qvv
github.com/commenthol/md-fileserver/releases/tag/v1.10.3
github.com/commenthol/md-fileserver/security/advisories/GHSA-32q2-hhr5-6qvv
nvd.nist.gov/vuln/detail/CVE-2026-46492

Code Behaviors & Features

Detect and mitigate CVE-2026-46492 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →