MEDIUM 6.1

GHSA-fvhg-p4hf-79x3

@cyntler/react-doc-viewer's TXTRenderer fails to sanitize file content and explicitly casts raw data as a ReactNode

Details

Cross-Site Scripting (XSS) vulnerability in @cyntler/react-doc-viewer v1.17.1 allows remote attackers to execute arbitrary JavaScript via a crafted .txt file. The TXTRenderer component fails to sanitize file content and explicitly casts raw data as a ReactNode.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / @cyntler/react-doc-viewer

Introduced in: 0

No fixed version published yet for @cyntler/react-doc-viewer (npm). Pin to a known-safe version or switch to an alternative.

References

https://nvd.nist.gov/vuln/detail/CVE-2026-30691 [ADVISORY]
https://github.com/cyntler/react-doc-viewer/issues/317 [WEB]
https://github.com/cyntler/react-doc-viewer [PACKAGE]
https://github.com/walidriouah/CVE-2026-30691 [WEB]