{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/md-fileserver/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["md-fileserver (\u003c 1.10.3)"],"_cs_severities":["high"],"_cs_tags":["xss","reflected-xss","stored-xss","javascript","md-fileserver"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003emd-fileserver versions prior to 1.10.3 are vulnerable to cross-site scripting (XSS) due to the application\u0026rsquo;s Markdown rendering configuration which allows raw HTML. An attacker can inject malicious JavaScript code into Markdown files. When a user views the crafted Markdown, the injected script executes in the user\u0026rsquo;s browser. This vulnerability arises from the application\u0026rsquo;s explicit configuration to allow raw HTML within Markdown and the subsequent lack of sanitization before rendering the content in the HTML template. This can lead to session hijacking, credential theft, or other malicious activities. The vulnerability was reported on May 21, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious Markdown file containing an embedded \u003ccode\u003e\u0026lt;script\u0026gt;\u003c/code\u003e tag or event handler (e.g., \u003ccode\u003e\u0026lt;img onerror=...\u0026gt;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker hosts or uploads this malicious Markdown file to the md-fileserver application.\u003c/li\u003e\n\u003cli\u003eA victim user navigates to the malicious Markdown file hosted on the md-fileserver.\u003c/li\u003e\n\u003cli\u003eThe application\u0026rsquo;s \u003ccode\u003elib/markd.js\u003c/code\u003e renders the Markdown content without sanitizing the raw HTML, including the malicious \u003ccode\u003e\u0026lt;script\u0026gt;\u003c/code\u003e tag.\u003c/li\u003e\n\u003cli\u003eThe rendered Markdown is injected into the HTML template \u003ccode\u003elib/pages/template.html\u003c/code\u003e using \u003ccode\u003e\u0026lt;%= markdown %\u0026gt;\u003c/code\u003e without any sanitization or output encoding.\u003c/li\u003e\n\u003cli\u003eThe victim\u0026rsquo;s browser receives the HTML page with the embedded malicious JavaScript code.\u003c/li\u003e\n\u003cli\u003eThe JavaScript code executes in the victim\u0026rsquo;s browser within the security context of the md-fileserver domain.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as stealing session cookies, redirecting the user to a phishing site, or defacing the website.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an attacker to execute arbitrary JavaScript in the victim’s browser. This can lead to session hijacking, account takeover, credential theft, defacement of the website, or exfiltration of sensitive data such as API tokens, CSRF tokens, or user information. All users who view Markdown content within the vulnerable application are potentially affected. Versions of \u003ccode\u003emd-fileserver\u003c/code\u003e prior to \u003ccode\u003e1.10.3\u003c/code\u003e are vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003emd-fileserver\u003c/code\u003e to version 1.10.3 or later to remediate the XSS vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect md-fileserver XSS via oastify.com\u003c/code\u003e to detect potential exploitation attempts by monitoring network connections to the exfiltration domain.\u003c/li\u003e\n\u003cli\u003eImplement proper HTML sanitization and output encoding in \u003ccode\u003elib/markd.js\u003c/code\u003e to prevent the execution of arbitrary JavaScript code.\u003c/li\u003e\n\u003cli\u003eDisable the \u003ccode\u003ehtml: true\u003c/code\u003e option in the MarkdownIt configuration (config.js) if raw HTML rendering is not required.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-21T17:59:16Z","date_published":"2026-05-21T17:59:16Z","id":"https://feed.craftedsignal.io/briefs/2026-05-md-fileserver-xss/","summary":"A cross-site scripting (XSS) vulnerability exists in md-fileserver's Markdown rendering logic, where user-supplied Markdown content containing raw HTML, including \u003cscript\u003e tags, is processed and injected into the resulting page without sanitization, leading to arbitrary JavaScript execution and potential account takeover.","title":"md-fileserver Stored/Reflected XSS Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-md-fileserver-xss/"}],"language":"en","title":"CraftedSignal Threat Feed — Md-Fileserver","version":"https://jsonfeed.org/version/1.1"}