Paperclip: Stored XSS via javascript: URLs in MarkdownBody — urlTransform override disables react-markdown sanitization

Severity:: Medium

Description

MarkdownBody, the shared component used to render every Markdown surface in the Paperclip UI (issue documents, issue comments, chat threads, approvals, agent details, export previews, etc.), passes urlTransform={(url) => url} to react-markdown.

Recommendation

Update the @paperclipai/ui package to the latest compatible version. Followings are version details:

Affected version(s): < 2026.416.0
Patched version(s): 2026.416.0

References

GHSA-fpw4-p57j-hqmq
CWE-79
OWASP 2021-A3

Related Issues

HAX CMS: Stored XSS via '<video-player>' component allows arbitrary JavaScript execution and token theft - CVE-2026-46496
Apostrophe has stored XSS via javascript: URL in Image Widget Link - CVE-2026-45011
Astro: XSS in define:vars via incomplete </script> tag sanitization - CVE-2026-41067
Excalidraw vulnerable to XSS via Mermaid sequence diagram labels (KaTeX rendering) - Vulnerability

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

Security Testing of WebSites Using JavaScript

Tags:: npm; @paperclipai/ui

Anything's wrong? Let us know Last updated on April 16, 2026