CVE-2026-30691

MEDIUM

@cyntler/react-doc-viewer 1.17.1 - Cross-Site Scripting via TXTRenderer Component

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-30691. PoCs published by walidriouah.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2026-30691, a Stored XSS vulnerability in @cyntler/react-doc-viewer v1.17.1. It includes a proof-of-concept payload, vulnerable code snippet, and recommended fixes.

Description

Cross-Site Scripting (XSS) vulnerability in @cyntler/react-doc-viewer v1.17.1 allows remote attackers to execute arbitrary JavaScript via a crafted .txt file. The TXTRenderer component fails to sanitize file content and explicitly casts raw data as a ReactNode

Exploits (1)

github WRITEUP

by walidriouah · poc

https://github.com/walidriouah/CVE-2026-30691

View Code ZIP pw:eip

This repository provides a detailed technical analysis of CVE-2026-30691, a Stored XSS vulnerability in @cyntler/react-doc-viewer v1.17.1. It includes a proof-of-concept payload, vulnerable code snippet, and recommended fixes.

Classification

Writeup 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: @cyntler/react-doc-viewer v1.17.1

No auth needed

Prerequisites: A crafted .txt file with malicious JavaScript · Victim interaction to open the file in the vulnerable viewer

MITRE ATT&CK

T1059.007 - JavaScript T1189 - Drive-by Compromise

devstral-2 · analyzed May 20, 2026 Full analysis →

References (2)

Core 2

Core References

https://github.com/cyntler/react-doc-viewer/issues/317

https://github.com/walidriouah/CVE-2026-30691

Scores

CVSS v3 6.1

EPSS 0.0001

EPSS Percentile 2.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

cyntler/react-doc-viewer 0 - 1.17.1npm

Published May 20, 2026

Tracked Since May 20, 2026