js · @sveltia/cmsHeads-up

@sveltia/cms: Stored XSS in Markdown/RichText preview patched

A stored XSS vulnerability in the Markdown/RichText field preview renderer was patched by adding a two-pass sanitization pipeline that removes or sandboxes ifra

20 Jun 2026Read 1 minSeverity: schedule it

What changed

A stored XSS vulnerability in the Markdown/RichText field preview renderer was patched by adding a two-pass sanitization pipeline that removes or sandboxes iframes.

Who it affects

Users of Sveltia CMS who load Markdown content from untrusted sources or who have not upgraded to v0.167.3.

What to do today

Upgrade to Sveltia CMS v0.167.3 or later.

The trail

Collected→ Audited→ Written→ Published

Source

GitHub Advisory · @sveltia/cms

@sveltia/cms: Stored XSS in Markdown/RichText preview patched

What changed

Who it affects

What to do today

More on @sveltia/cms

@openzeppelin/wizard: Arbitrary code injection via info.securityContact and info.license fields

TypeORM Blind SQL Injection in UpdateQueryBuilder and SoftDeleteQueryBuilder (MySQL/MariaDB)