DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-GXXH-8VCJ-W2MH: Arbitrary File Upload and Stored XSS in mckenziearts/livewire-markdown-editor

#security #cve #cybersecurity #ghsa

Arbitrary File Upload and Stored XSS in mckenziearts/livewire-markdown-editor

Vulnerability ID: GHSA-GXXH-8VCJ-W2MH
CVSS Score: 8.5
Published: 2026-05-04

A critical vulnerability in the mckenziearts/livewire-markdown-editor package prior to version 1.3 allows authenticated users to bypass file upload restrictions. This flaw results from missing server-side validation and insecure filename handling within the Livewire component's upload lifecycle hooks. Exploitation permits attackers to host arbitrary files, execute stored Cross-Site Scripting (XSS) payloads, and perform Markdown syntax injection attacks.

TL;DR

Missing validation and sanitization in the Livewire Markdown Editor component allows arbitrary file uploads and stored XSS. Attackers can upload executable files or craft malicious filenames to inject JavaScript into the rendered page.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability Class: Arbitrary File Upload / Stored XSS
  • CWE IDs: CWE-434, CWE-79
  • Attack Vector: Network (Authenticated)
  • CVSS Score: 8.5
  • Exploit Status: Proof-of-Concept Available
  • Affected Component: MarkdownEditor Livewire Component

Affected Systems

  • mckenziearts/livewire-markdown-editor (Packagist)
  • livewire-markdown-editor: < 1.3 (Fixed in: 1.3)

Code Analysis

Commit: 1e60eaa

Implement file validation, randomized storage filenames, and sanitize markdown filename output to prevent arbitrary file upload and XSS.

Mitigation Strategies

  • Upgrade the mckenziearts/livewire-markdown-editor package to version 1.3 or later.
  • Disable the upload functionality via component parameters if upgrading is not immediately possible.
  • Implement strict bucket policies or web server rules preventing the execution of active content (e.g., .html, .svg) from storage directories.
  • Audit historical user uploads for suspicious file extensions and maliciously crafted filenames.

Remediation Steps:

  1. Run composer update mckenziearts/livewire-markdown-editor to install the patched package.
  2. Publish the new package configuration if required and review the livewire-markdown-editor.upload settings.
  3. Ensure the images_only configuration flag is set to true unless arbitrary documents are strictly required.
  4. Review existing database records containing markdown output for injected script tags or broken markdown image links.

References

Read the full report for GHSA-GXXH-8VCJ-W2MH on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)