{"id":81245,"date":"2026-06-29T22:40:49","date_gmt":"2026-06-29T19:10:49","guid":{"rendered":"https:\/\/afaghhosting.net\/blog\/cve-2026-54889-unsanitized-url-schemes-in-mdex-quill-delta-output-allow-javascript-injection-xss\/"},"modified":"2026-06-29T22:40:49","modified_gmt":"2026-06-29T19:10:49","slug":"cve-2026-54889-unsanitized-url-schemes-in-mdex-quill-delta-output-allow-javascript-injection-xss","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/cve-2026-54889-unsanitized-url-schemes-in-mdex-quill-delta-output-allow-javascript-injection-xss\/","title":{"rendered":"CVE-2026-54889 – Unsanitized URL schemes in MDEx Quill Delta output allow javascript: injection (XSS)"},"content":{"rendered":"

CVE ID :CVE-2026-54889<\/p>\n

Published : June 29, 2026, 7:10 p.m. | 35\u00a0minutes ago<\/p>\n

Description :Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in leandrocp mdex allows cross-site scripting via unsanitized URL schemes in Quill Delta output.<\/p>\n

‘Elixir.MDEx’:to_delta\/2 converts Markdown into a Quill Delta. ‘Elixir.MDEx.DeltaConverter’:default_convert_node\/3 in lib\/mdex\/delta_converter.ex copies the URL of a link, wikilink, or image node directly from the parsed Markdown into the Delta “link” or “image” attribute without applying a scheme allowlist or any normalization.<\/p>\n

An attacker who controls the Markdown text can supply a javascript: URL (for example [click](javascript:alert(document.cookie))) that survives verbatim into the Delta attribute. When the Delta is rendered to HTML by a downstream renderer (such as quill-delta-to-html or the Quill client), the attribute becomes an or , and the javascript: scheme executes in the browser of anyone who views the rendered content. The link and wikilink cases are the strongest vectors because javascript: in an href executes on click; the image case is lower impact because javascript: in generally does not execute in modern browsers.<\/p>\n

This issue affects mdex: from 0.8.3 before 0.13.2.<\/p>\n

Severity: 5.1 | MEDIUM<\/p>\n

Visit the link for more details, such as CVSS details, affected products, timeline, and more…\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"

CVE ID :CVE-2026-54889 Published : June 29, 2026, 7:10 p.m. | 35\u00a0minutes ago Description :Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in leandrocp mdex allows cross-site scripting via unsanitized URL schemes in Quill Delta output. ‘Elixir.MDEx’:to_delta\/2 converts Markdown into a Quill Delta. ‘Elixir.MDEx.DeltaConverter’:default_convert_node\/3 in lib\/mdex\/delta_converter.ex copies the URL of a link, wikilink, …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-81245","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/81245","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=81245"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/81245\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=81245"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=81245"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=81245"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}