CodiMD through 2.2.0 has a CSP-based protection mechanism against XSS through uploaded JavaScript content, but it can be bypassed by uploading a .html file that references an uploaded .js file.
The product does not sufficiently protect all possible paths that a user can take to access restricted functionality or resources.