Launch Week Day 1: Announcing Security Design Review

md-fileserver: Stored/Reflected XSS when viewing Markdown (raw HTML allowed)

GHSA-32q2-hhr5-6qvv · CVE-2026-46492

Published May 21, 2026 · Modified Jun 9, 2026

Description

Summary

A cross-site scripting (XSS) vulnerability exists in the application’s Markdown rendering logic. When user-supplied Markdown content is rendered, embedded raw HTML—including