@abbele/core (>=0.0.1 <=0.0.10), @abbele/uikit (>=0.0.1 <=0.1.2) +40 more potentially affected by CVE-2025-54075 via @nuxtjs/mdc (>=0.10.0 <=0.17.0)

@nuxtjs/mdc NPM version =0.10.0, =0.0.1, =0.0.1, =1.0.16, =1.0.16, =3.0.0-1a33690, =3.0.0-1a33690, =0.0.1, =0.13.1, =0.0.90, =0.22.2 and more Source cves: CVE-2025-54075 Source advisory: OSV:GHSA-CJ6R-RRR9-FG82...

CVE-2025-54075 mdc vulnerable to XSS in markdown rendering bypassing HTML filter. (N°4)

MDC is a tool to take regular Markdown and write documents interacting deeply with a Vue component. Prior to version 0.17.2, a remote script-inclusion / stored cross-site scripting vulnerability in @nuxtjs/mdc lets a Markdown author inject a element. The tag rewrites how all subsequent relative...

CVE-2025-24981 Parsed HTML anchor links in Markdown provided to parseMarkdown can result in XSS in @nuxtjs/mdc

MDC is a tool to take regular Markdown and write documents interacting deeply with a Vue component. In affected versions unsafe parsing logic of the URL from markdown can lead to arbitrary JavaScript code due to a bypass to the existing guards around the javascript: protocol scheme in the URL. Th...

CVE-2025-24981

The CVE-2025-24981 vulnerability affects MDC (the Markdown-to-Vue integration used in @nuxtjs/mdc). The root cause is unsafe URL parsing in the parser (props.ts) that uses a deny-list for protocols (e.g., javascript:) but can be bypassed when the attacker provides hex-encoded HTML entities within...

CVE-2025-24981 Parsed HTML anchor links in Markdown provided to parseMarkdown can result in XSS in @nuxtjs/mdc

MDC is a tool to take regular Markdown and write documents interacting deeply with a Vue component. In affected versions unsafe parsing logic of the URL from markdown can lead to arbitrary JavaScript code due to a bypass to the existing guards around the javascript: protocol scheme in the URL. Th...

PT-2025-5844 · Nuxt.Js · @Nuxtjs/Mdc

Name of the Vulnerable Software and Affected Versions: @nuxtjs/mdc versions prior to 0.13.3 Description: The issue arises from unsafe parsing logic of the URL from markdown, which can lead to arbitrary JavaScript code execution due to a bypass of the existing guards around the javascript: protoco...