CVE-2026-46492
HIGH
7,2
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: none
Scope: changed
Confidentiality: low
Integrity: low
Availability: none
Description
AI Translation Available
md-fileserver allows for local viewing of markdown files in a browser. Prior to version 1.10.3, a cross-site scripting (XSS) vulnerability exists in the application’s Markdown rendering logic. When user-supplied Markdown content is rendered, embedded raw HTML—including <script> tags—is processed and injected into the resulting page without sanitization, allowing arbitrary JavaScript execution in the context of the affected domain. This issue has been patched in version 1.10.3.
EPSS (Exploit Prediction Scoring System)
Trend Analysis
EPSS (Exploit Prediction Scoring System)
Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.
EPSS Score
0,0005
Percentile
0,2th
Updated
EPSS Score Trend (Last 5 Days)
80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
IncompleteCommon Consequences
Security Scopes Affected:
Confidentiality
Integrity
Availability
Potential Impacts:
Read Application Data
Execute Unauthorized Code Or Commands
Applicable Platforms
Technologies:
Web Based, Web Server
87
Improper Neutralization of Alternate XSS Syntax
DraftCommon Consequences
Security Scopes Affected:
Confidentiality
Integrity
Availability
Potential Impacts:
Read Application Data
Execute Unauthorized Code Or Commands
Applicable Platforms
All platforms may be affected
https://github.com/commenthol/md-fileserver/security/advisories/GHSA-32q2-hhr5-…
https://github.com/commenthol/md-fileserver/releases/tag/v1.10.3
https://github.com/commenthol/md-fileserver/security/advisories/GHSA-32q2-hhr5-…