mo has a XSS via inline SVG script tags in Markdown rendering
When rendering Markdown files containing inline SVG elements with <script> tags, the embedded JavaScript is executed in the browser. This is due to rehype-raw passing raw HTML (including SVG) through to the DOM without sanitization.