PatchSiren cyber security CVE debrief
CVE-2026-30691 cyntler CVE debrief
CVE-2026-30691 describes a cross-site scripting issue in @cyntler/react-doc-viewer v1.17.1 where a crafted .txt file can cause TXTRenderer to render attacker-controlled content without proper sanitization. Because the component explicitly casts raw file data as a ReactNode, malicious markup or script-bearing input may be interpreted in the browser context of the viewing application. The CVE was published on 2026-05-20 and carries a CVSS v3.1 base score of 6.1 (MEDIUM).
- Vendor
- cyntler
- Product
- @cyntler/react-doc-viewer
- CVSS
- MEDIUM 6.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-20
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-20
- Advisory updated
- 2026-05-21
Who should care
Teams that embed @cyntler/react-doc-viewer in web applications, especially if users can upload, submit, or preview .txt files. Security engineers and maintainers should prioritize any deployment that renders untrusted documents in authenticated browser sessions, where XSS can expose session data or perform actions as the user.
Technical summary
NVD records this as CWE-79 and lists the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The reported weakness is in the TXTRenderer path: raw text content is not sanitized before being cast and rendered as a ReactNode, allowing attacker-supplied .txt content to influence browser-executed output. The supplied corpus references GitHub issue #317 and a public CVE tracking repository as supporting references, but it does not include remediation details or a fixed release.
Defensive priority
Medium. The issue requires user interaction, but the attack surface is common in document-preview workflows and the impact can extend beyond the vulnerable component because XSS executes in the application origin.
Recommended defensive actions
- Identify whether your application uses @cyntler/react-doc-viewer v1.17.1 or any build that includes the affected TXTRenderer behavior.
- Treat all previewed text files as untrusted input and disable inline rendering of untrusted content until a verified fix is available.
- Monitor the upstream project issue and release notes for a patched version or official mitigation guidance.
- If document preview is required, isolate the viewer in a less-privileged origin or sandboxed context to reduce browser-origin impact.
- Add regression tests that ensure raw .txt content is escaped or rendered as inert text rather than React nodes.
Evidence notes
This debrief is based only on the supplied NVD CVE metadata and the referenced GitHub URLs. The corpus states the vulnerability is XSS in @cyntler/react-doc-viewer v1.17.1, that TXTRenderer fails to sanitize file content, and that raw data is explicitly cast as a ReactNode. No fix version, patch commit, or exploitation details were supplied in the source set.
Official resources
CVE published in NVD on 2026-05-20 and modified the same day. The source metadata lists the vulnerability as received at publication time and references an upstream GitHub issue plus a public tracking repository. No KEV listing is provided.