@cyntler/react-doc-viewer's TXTRenderer fails to sanitize file content and explicitly casts raw data as a ReactNode

GHSA-fvhg-p4hf-79x3 · CVE-2026-30691

Published May 20, 2026 · Modified Jun 11, 2026

Description

Cross-Site Scripting (XSS) vulnerability in @cyntler/react-doc-viewer v1.17.1 allows remote attackers to execute arbitrary JavaScript via a crafted .txt file. The TXTRenderer component fails to sanitize file content and explicitly casts raw data as a ReactNode.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-30691
WEB https://github.com/cyntler/react-doc-viewer/issues/317
PACKAGE https://github.com/cyntler/react-doc-viewer
WEB https://github.com/walidriouah/CVE-2026-30691

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes