CVE-2025-24981: MDC is a tool to take regular Markdown and write documents interacting deeply with a Vue component. In affected versions
Summary
MDC is a tool that converts Markdown into documents that work with Vue components (a JavaScript framework for building user interfaces). In affected versions, the tool has a security flaw where it doesn't properly validate URLs in Markdown, allowing attackers to sneak in malicious JavaScript code by encoding it in a special format (hex-encoded HTML entities). This can lead to XSS (cross-site scripting, where unauthorized code runs in a user's browser) if the tool processes untrusted Markdown.
Solution / Mitigation
Upgrade to version 0.13.3 or later. The source states: 'This vulnerability has been addressed in version 0.13.3 and all users are advised to upgrade.'
Vulnerability Details
9.3(critical)
EPSS: 0.4%
Classification
Affected Vendors
Related Issues
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
CVE-2025-45150: Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive
Original source: https://nvd.nist.gov/vuln/detail/CVE-2025-24981
First tracked: February 15, 2026 at 08:52 PM
Classified by LLM (prompt v3) · confidence: 75%