Intel

AIKIDO-2026-504745

mdex is vulnerable to Cross-site Scripting (XSS)

Cross-site Scripting (XSS)CVE-2026-54889 Published Jul 2, 2026

51

Medium Risk

This Affects:

ELIXIRmdex
0.8.3 - 0.13.1
Fixed in 0.13.2
Are you affected? Scan for Free

TL;DR

mdex is vulnerable to cross-site scripting when converting Markdown to Quill Delta. MDEx.to_delta/2 passes link, wikilink, and image URLs straight from parsed Markdown into Delta link/image attributes with no scheme allowlist or normalization. An attacker who controls the Markdown can embed javascript: URLs (e.g. [click](javascript:alert(document.cookie))), which survive into the Delta and become a href> or img src> when a downstream renderer (quill-delta-to-html or the Quill client) turns it into HTML. Links and wikilinks are the main risk because javascript: in href runs on click; image URLs are lower impact since modern browsers usually block javascript: in img src>.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

mdex is vulnerable to Cross-site Scripting (XSS) in versions 0.8.3 - 0.13.1.

How to fix this

Upgrade the mdex library to the patch version.