invenio-previewer is vulnerable to cross-site scripting (XSS). It does not escape the user-uploaded file and directly render the file in the JSON, Markdown and iPython Notebook previewers, allowing an attacker to inject arbitrary Javascript into a victim’s browser using a malicious file.