GHSA-vccx-p757-pv6h: mo has a XSS via inline SVG script tags in Markdown rendering

March 18, 2026

When rendering Markdown files containing inline SVG elements with <script> tags, the embedded JavaScript is executed in the browser. This is due to rehype-raw passing raw HTML (including SVG) through to the DOM without sanitization.

References

github.com/advisories/GHSA-vccx-p757-pv6h
github.com/k1LoW/mo
github.com/k1LoW/mo/security/advisories/GHSA-vccx-p757-pv6h

Code Behaviors & Features

Detect and mitigate GHSA-vccx-p757-pv6h with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →