md-fileserver: Stored/Reflected XSS when viewing Markdown (raw HTML allowed)

Severity:: High

Description

A cross-site scripting (XSS) vulnerability exists in the application’s Markdown rendering logic. When user-supplied Markdown content is rendered, embedded raw HTML—including

Recommendation

Update the md-fileserver package to the latest compatible version. Followings are version details:

Affected version(s): < 1.10.3
Patched version(s): 1.10.3

References

GHSA-32q2-hhr5-6qvv
CVE-2026-46492
CWE-80
CWE-87
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Parse Server vulnerable to stored XSS via file upload of HTML-renderable file types - CVE-2026-31868
Nuxt OG Image is vulnerable to reflected XSS via query parameter injection into HTML attributes - CVE-2026-34405
Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html` - CVE-2026-44990
Nuxt: Reflected XSS in `navigateTo()` external redirect - CVE-2026-45669

How to Secure your NodeJs Express Javascript Application - part 1

How do hackers hack websites?

CSRF, XXE, and 12 Other Security Acronyms Explained

Tags:: npm; md-fileserver

Anything's wrong? Let us know Last updated on May 21, 2026