Lemmy: Stored XSS via Markdown image alt-text

An approved member or a federated remote instance injects stored JavaScript through a Markdown image alt-text that executes in other users' browsers.

Advisory ID: TP-2026-018
Product: Lemmy (federated open-source link aggregator and discussion platform in the Fediverse)
Vulnerability type: Stored Cross-Site Scripting (CWE-79)
CVE: CVE-2026-54743
CVSS 3.1: 5.4 (Medium) · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Affected versions: lemmy-ui 0.19.x
Fixed in: lemmy-ui (fix in #4210)
Vendor advisory: GHSA-2g66-9fr3-ppwj
Reported: 30 May 2026

Summary

Lemmy is a federated open-source platform for link aggregation and discussion in the Fediverse. Its frontend lemmy-ui renders Markdown for post bodies, comment bodies, private messages, and community descriptions through mdToHtml, which returns a raw { __html } object with no sanitizer pass. The renderer runs with html: false but also registers the markdown-it-html5-embed plugin with useImageSyntax, which turns ![alt](video.mp4) into a <video> element with a text fallback and substitutes the alt text into that fallback without HTML escaping. As a result, any approved member or federated remote instance injects stored HTML/JavaScript through the alt text of an image Markdown that executes in other users' browsers. In the default production configuration a Content Security Policy mitigates execution; the vendor fixed the issue regardless. turingpoint verified the flow and reported it responsibly.

Root cause

lemmy-ui renders user-generated Markdown through mdToHtml and injects the result as a raw { __html } object with no sanitizer into the Inferno-managed DOM. The Markdown renderer is configured with html: false, which blocks literal HTML tokens in the source, but it also registers the markdown-it-html5-embed plugin with useImageSyntax: true. With that option, ![alt](video.mp4) becomes a <video> element whose text fallback the plugin builds by raw string substitution of the alt text into a message, without HTML-escaping the alt text. html: false does not apply to plugin-generated output, so the alt text reaches the DOM as live HTML and is inserted unfiltered by the { __html } path. Because the rendered content originates from any approved member or federated remote instance, the payload is stored persistently and executes in every viewer's browser unless a Content Security Policy intervenes.

Proof of Concept

As an approved member, in a post, comment, private message, or community description:

![<img src=x onerror=alert(document.domain)>](https://example.com/clip.mp4)

The markdown-it-html5-embed plugin turns this into a <video> element and substitutes the alt text into the text fallback by raw string replacement. Because the alt text is not HTML-escaped and html: false does not apply to plugin output, the <img onerror=...> reaches the DOM as live HTML and executes in every viewer's browser.

Impact

  • Execution of attacker JavaScript in the session of any user who views the post, comment, message, or community description.
  • Persistent payload that can spread to remote instances over federation.
  • Session-bound actions on behalf of the victim within the lemmy-ui interface.
  • Mitigated by a Content Security Policy in the default production configuration.

References

Is Something Like This in Your Software?

Our team found this vulnerability in the course of its work. Have your applications tested by the same specialists, with a penetration test from turingpoint.

Request a Pentest