BentoPDF: Stored XSS via Markdown Editor Leading to Persistent File...

7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Description

BentoPDF is a client-side PDF toolkit that is self hostable. Prior to version 2.8.3, a cross-site scripting vulnerability was identified in BentoPD. An attacker may be able to execute arbitrary JavaScript in certain circumstances in Markdown to PDF Tool. This issue has been patched in version 2.8.3.

Basic Information

ID CVE-2026-41653

Source GitHub_M

Published May 7, 2026 at 18:43

Modified May 7, 2026 at 19:01

Affected Product

Vendor alam00000

Product bentopdf

Version < 2.8.3

Affected Versions alam00000 bentopdf < 2.8.3

CWE Classification

CWE-79

References

{
    "lastseen": "",
    "description": "BentoPDF is a client-side PDF toolkit that is self hostable. Prior to version 2.8.3, a cross-site scripting vulnerability was identified in BentoPD. An attacker may be able to execute arbitrary JavaScript in certain circumstances in Markdown to PDF Tool. This issue has been patched in version 2.8.3.",
    "published": "2026-05-07T18:43:17.797Z",
    "modified": "2026-05-07T19:01:30.967Z",
    "type": "cve",
    "title": "BentoPDF: Stored XSS via Markdown Editor Leading to Persistent File Exfiltration",
    "source": "GitHub_M",
    "references": "https://github.com/alam00000/bentopdf/security/advisories/GHSA-6vh8-4frx-647f\nhttps://github.com/alam00000/bentopdf/releases/tag/v2.8.3",
    "id": "CVE-2026-41653",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "alam00000 bentopdf < 2.8.3",
    "sourceHref": "",
    "cvss": {
        "score": 7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "bentopdf",
    "version": "< 2.8.3",
    "vendor": "alam00000",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

BentoPDF: Stored XSS via Markdown Editor Leading to Persistent File Exfiltration_CVE-2026-41653