\n```\n\nEmbedding the above in a Markdown file opened with mo causes the script to execute.\n\n### Impact\n\nArbitrary JavaScript execution in the context of the mo application when a user opens a malic","datePublished":"2026-03-18T20:17:12Z","dateModified":"2026-03-23T18:56:25.781957Z","url":"https://o3.security/vulnerability/GHSA-vccx-p757-pv6h","inLanguage":"en","author":{"@id":"https://o3.security/#organization"},"publisher":{"@id":"https://o3.security/#organization"},"mainEntityOfPage":{"@type":"WebPage","@id":"https://o3.security/vulnerability/GHSA-vccx-p757-pv6h"},"speakable":{"@type":"SpeakableSpecification","cssSelector":["h1",".vuln-summary",".vuln-severity",".vuln-mitigation"]},"about":[{"@type":"SoftwareApplication","name":"github.com/k1LoW/mo","applicationCategory":"Go","softwareVersion":"0.18.5"}],"citation":[{"@type":"WebPage","url":"https://github.com/k1LoW/mo/security/advisories/GHSA-vccx-p757-pv6h"}]}\n```\n\nEmbedding the above in a Markdown file opened with mo causes the script to execute.\n\n### Impact\n\nArbitrary JavaScript execution in the context of the mo application when a user opens a malic","url":"https://o3.security/vulnerability/GHSA-vccx-p757-pv6h","identifier":"GHSA-vccx-p757-pv6h","datePublished":"2026-03-18T20:17:12Z","dateModified":"2026-03-23T18:56:25.781957Z","inLanguage":"en","keywords":["GHSA-vccx-p757-pv6h","CVE","vulnerability","security advisory"],"creator":{"@id":"https://o3.security/#organization"},"isAccessibleForFree":true}\n```\n\nEmbedding the above in a Markdown file opened with mo causes the script to execute.\n\n### Impact\n\nArbitrary JavaScript execution in the context of the mo application when a user opens a malicious Markdown file. This could lead to data exfiltration of other opened Markdown file contents.\n\n##"}},{"@type":"Question","name":"How severe is GHSA-vccx-p757-pv6h?","acceptedAnswer":{"@type":"Answer","text":"No CVSS score has been assigned to GHSA-vccx-p757-pv6h yet. Review the advisory details and affected package list to assess your exposure."}},{"@type":"Question","name":"Which packages are affected by GHSA-vccx-p757-pv6h?","acceptedAnswer":{"@type":"Answer","text":"GHSA-vccx-p757-pv6h affects the following packages: github.com/k1LoW/mo (Go). Ecosystems affected: Go."}},{"@type":"Question","name":"How do I fix GHSA-vccx-p757-pv6h?","acceptedAnswer":{"@type":"Answer","text":"Update github.com/k1LoW/mo to 0.18.5 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-vccx-p757-pv6h is resolved across your whole dependency graph."}},{"@type":"Question","name":"How do I detect GHSA-vccx-p757-pv6h in my Go dependencies?","acceptedAnswer":{"@type":"Answer","text":"Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/k1LoW/mo. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match."}},{"@type":"Question","name":"How do I mitigate GHSA-vccx-p757-pv6h if there is no patch (or I can't update yet)?","acceptedAnswer":{"@type":"Answer","text":"If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands."}},{"@type":"Question","name":"How does O3 Security protect against GHSA-vccx-p757-pv6h?","acceptedAnswer":{"@type":"Answer","text":"O3 pinpoints whether GHSA-vccx-p757-pv6h is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed."}},{"@type":"Question","name":"Is GHSA-vccx-p757-pv6h actively exploited in the wild?","acceptedAnswer":{"@type":"Answer","text":"No public exploit code has been indexed for GHSA-vccx-p757-pv6h yet. This does not mean the vulnerability cannot be exploited — absence of public exploits does not imply safety. Apply the recommended fix and use O3 Security to monitor your exposure."}},{"@type":"Question","name":"When was GHSA-vccx-p757-pv6h published, and has it been updated?","acceptedAnswer":{"@type":"Answer","text":"GHSA-vccx-p757-pv6h was published on March 18, 2026 and was last updated on March 23, 2026. Advisory data evolves as severity scores, affected ranges, and exploit intelligence are revised — always check the latest version of the advisory before acting."}}]}
Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
🐹 Go

GHSA-vccx-p757-pv6h

mo has a XSS via inline SVG script tags in Markdown rendering

Also known asGO-2026-4765
Published
Mar 18, 2026
Updated
Mar 23, 2026
Affected
1 pkg
Patched
1 / 1
Exploits
None indexed

Blast Radius

1 pkg affected
🐹github.com/k1LoW/mo

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.

Description

Summary

When rendering Markdown files containing inline SVG elements with <script> tags, the embedded JavaScript is executed in the browser. This is due to rehype-raw passing raw HTML (including SVG) through to the DOM without sanitization.

PoC

<svg><script>alert(1)</script></svg>

Embedding the above in a Markdown file opened with mo causes the script to execute.

Impact

Arbitrary JavaScript execution in the context of the mo application when a user opens a malicious Markdown file. This could lead to data exfiltration of other opened Markdown file contents.

Remediation

Fixed by adding rehype-sanitize to the Markdown rendering pipeline, which strips dangerous elements such as <script> while preserving safe HTML.

Affected Packages

1 total 1 fixed
EcosystemPackageVulnerable rangeFix
🐹Gogithub.com/k1LoW/moall versions0.18.5

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/k1LoW/mo. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update github.com/k1LoW/mo to 0.18.5 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-vccx-p757-pv6h is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-vccx-p757-pv6h is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-vccx-p757-pv6h. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### Summary When rendering Markdown files containing inline SVG elements with `<script>` tags, the embedded JavaScript is executed in the browser. This is due to `rehype-raw` passing raw HTML (including SVG) through to the DOM without sanitization. ### PoC ```html <svg><script>alert(1)</script></svg> ``` Embedding the above in a Markdown file opened with mo causes the script to execute. ### Impact Arbitrary JavaScript execution in the context of the mo application when a user opens a malicious Markdown file. This could lead to data exfiltration of other opened Markdown file contents. ##
O3 Security · Impact-Aware SCA

Is GHSA-vccx-p757-pv6h in your dependencies?

O3 detects GHSA-vccx-p757-pv6h across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works