Paperclip: Stored XSS via javascript: URLs in MarkdownBody — urlTransform override disables react-markdown sanitization
- Severity:
- Medium
Description
MarkdownBody, the shared component used to render every Markdown surface in the Paperclip UI (issue documents, issue comments, chat threads, approvals, agent details, export previews, etc.), passes urlTransform={(url) => url} to react-markdown.
Recommendation
Update the @paperclipai/ui package to the latest compatible version. Followings are version details:
- Affected version(s): < 2026.416.0
- Patched version(s): 2026.416.0
References
Related Issues
- Apostrophe has stored XSS via javascript: URL in Image Widget Link - CVE-2026-45011
- HAX CMS: Stored XSS via '<video-player>' component allows arbitrary JavaScript execution and token theft - CVE-2026-46496
- React Router has XSS Vulnerability - CVE-2025-59057
- Parse Server has a stored XSS filter bypass via Content-Type MIME parameter and missing XML extension blocklist entries - CVE-2026-32728
You might also like:
- Tags:
- npm
- @paperclipai/ui
Anything's wrong? Let us know Last updated on April 16, 2026


