Intel

AIKIDO-2026-315866

mdex is vulnerable to Cross-site Scripting (XSS)

Cross-site Scripting (XSS)CVE-2026-53427 Published Jul 2, 2026

23

Low Risk

This Affects:

ELIXIRmdex
0.11.3 - 0.12.2
Fixed in 0.12.3
Are you affected? Scan for Free

TL;DR

mdex is vulnerable to cross-site scripting when rendering Markdown with syntax highlighting and full info-string forwarding enabled (render: [full_info_string: true]). The Lumis adapter (LumisAdapter::parse_custom_attributes in lumis_adapter.rs) copies the highlight_lines_class value from a fenced code block's info string verbatim into the class attribute of each highlighted line without HTML escaping. An attacker who controls the Markdown can use a shlex-quoted payload such as '"> alert(1) ' to terminate the attribute early and inject arbitrary HTML and JavaScript that runs in every viewer's browser.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

mdex is vulnerable to Cross-site Scripting (XSS) in versions 0.11.3 - 0.12.2.

How to fix this

Upgrade the mdex library to the patch version.