AI Threat Alert AI Threat Alert

CVE-2021-28796: Qiita::Markdown: XSS in transformer components

MEDIUM
Published March 18, 2021
CISO Take

Qiita::Markdown before 0.33.0 contains a stored/reflected XSS vulnerability in its transformer pipeline, enabling script injection in rendered content. If your AI/ML documentation platforms, knowledge bases, or developer portals use this gem, upgrade to 0.33.0 immediately. The blast radius is limited to session hijacking and credential theft in browser contexts, but in AI-enabled developer workflows the attack surface extends to poisoning shared knowledge content.

Risk Assessment

Medium risk (CVSS 6.1). Low attack complexity with no privileges required makes it trivially weaponizable, but requires user interaction (victim must view/render the malicious markdown). Network-accessible, scope-changed (C:L/I:L) means it can affect browser contexts beyond the immediate application. In AI/ML team environments where Qiita or similar markdown-rendered platforms are used for model documentation, runbooks, or collaborative notebooks, the risk elevates slightly due to shared content consumption patterns.

Affected Systems

Package Ecosystem Vulnerable Range Patched
qiita\ No patch

Do you use qiita\? You're affected.

Severity & Risk

CVSS 3.1
6.1 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 44% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI Required
S Changed
C Low
I Low
A None

Recommended Action

5 steps

  1. Patch: Upgrade qiita-markdown gem to >= 0.33.0 immediately. Review Gemfile.lock for pinned vulnerable versions.

  2. Audit: Identify all internal systems using this gem via 'bundle list | grep qiita-markdown'.

  3. Validate: Test rendered output with standard XSS payloads post-upgrade to confirm sanitization.

  4. Detect: Review web server/application logs for unusual script tags or javascript: URIs in markdown inputs prior to patching.

  5. Content hygiene: If using Qiita-sourced content in RAG pipelines or knowledge bases, re-sanitize all historical content rendered before the patch.

Classification

Code Execution Data Leakage Social Engineering Framework RAG Plugin AML.T0011.003 AML.T0049 AML.T0070 AML.T0078

Compliance Impact

This CVE is relevant to:

EU AI Act
Art.15 - Accuracy, robustness and cybersecurity
ISO 42001
8.4 - AI system operation and monitoring
NIST AI RMF
GOVERN-6.2 - Organizational teams document the risks and potential impacts of AI systems
OWASP LLM Top 10
LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2021-28796?

Qiita::Markdown before 0.33.0 contains a stored/reflected XSS vulnerability in its transformer pipeline, enabling script injection in rendered content. If your AI/ML documentation platforms, knowledge bases, or developer portals use this gem, upgrade to 0.33.0 immediately. The blast radius is limited to session hijacking and credential theft in browser contexts, but in AI-enabled developer workflows the attack surface extends to poisoning shared knowledge content.

Is CVE-2021-28796 actively exploited?

No confirmed active exploitation of CVE-2021-28796 has been reported, but organizations should still patch proactively.

How to fix CVE-2021-28796?

1. Patch: Upgrade qiita-markdown gem to >= 0.33.0 immediately. Review Gemfile.lock for pinned vulnerable versions. 2. Audit: Identify all internal systems using this gem via 'bundle list | grep qiita-markdown'. 3. Validate: Test rendered output with standard XSS payloads post-upgrade to confirm sanitization. 4. Detect: Review web server/application logs for unusual script tags or javascript: URIs in markdown inputs prior to patching. 5. Content hygiene: If using Qiita-sourced content in RAG pipelines or knowledge bases, re-sanitize all historical content rendered before the patch.

What systems are affected by CVE-2021-28796?

This vulnerability affects the following AI/ML architecture patterns: Developer documentation portals, RAG pipelines (if ingesting Qiita-rendered content), Model documentation systems, Collaborative ML notebooks.

What is the CVSS score for CVE-2021-28796?

CVE-2021-28796 has a CVSS v3.1 base score of 6.1 (MEDIUM). The EPSS exploitation probability is 0.22%.

Technical Details

NVD Description

Increments Qiita::Markdown before 0.33.0 allows XSS in transformers.

Exploitation Scenario

An adversary targeting an AI/ML team's internal knowledge base creates a Qiita article or wiki page containing a markdown-embedded XSS payload (e.g., in a transformer-processed block). When a developer or data scientist browses to review model documentation or training notes, the script executes in their browser, stealing session cookies or API tokens. In a RAG pipeline scenario, if the markdown content is fetched and rendered for AI-assisted developer tooling, the payload could execute in the context of that tooling, potentially exfiltrating credentials or hijacking sessions used to access ML platforms.

Weaknesses (CWE)

CWE-79 Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

Timeline

Published
March 18, 2021
Last Modified
November 21, 2024
First Seen
March 18, 2021

Related Vulnerabilities

CRITICAL CVE-2025-59528 10.0

Flowise: Unauthenticated RCE via MCP config injection

Same attack type: Code Execution
CRITICAL CVE-2024-2912 10.0

BentoML: RCE via insecure deserialization (CVSS 10)

Same attack type: Code Execution
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same attack type: Data Leakage
CRITICAL CVE-2025-5120 10.0

smolagents: sandbox escape enables unauthenticated RCE

Same attack type: Data Leakage
CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same attack type: Code Execution
Back to Threat Feed