Skip to main content

earmark CVE-2026-48591

MEDIUM
Improper Neutralization of Script in Attributes in a Web Page (CWE-83)
2026-06-17 EEF
4.8
CVSS 4.0 · Vendor: EEF
Share

Severity by source

Vendor (EEF) PRIMARY
4.8 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.4 MEDIUM

Network delivery of stored XSS; PR:L reflects that most applications require an account to submit stored content; victim page-load triggers execution with scope change into browser context.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (EEF).

CVSS VectorVendor: EEF

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 18:09 vuln.today

DescriptionCVE.org

Improper Neutralization of Script in Attributes in a Web Page vulnerability in pragdave earmark allows stored cross-site scripting via unescaped HTML attribute values.

'Elixir.Earmark.Transform':_make_att1/2 in lib/earmark/transform.ex splices attribute values verbatim between two literal " bytes: [" ", name, "=\"", value, "\""]. Text nodes are routed through the existing escape function which encodes " as &quot;, but attribute values never visit that path. A markdown link whose URL or title contains a bare " closes the attribute early and lets the trailing bytes be parsed by the browser as fresh HTML attributes. For example, click) renders as <a href="http://example.com/?a=x" onerror="alert(1)">click</a>, executing arbitrary JavaScript in the victim's browser.

The earmark library is no longer maintained and has been retired on Hex. No patched version will be released. All releases from 1.4.1 onward are affected, and users should migrate to a maintained Markdown library such as MDEx.

This issue affects earmark from 1.4.1 onward.

AnalysisAI

Stored cross-site scripting in earmark (the Elixir Markdown-to-HTML library by pragdave) allows any attacker who can submit markdown content to inject arbitrary JavaScript that executes in the browsers of users who view the rendered output. The root cause is a code path in _make_att1/2 (lib/earmark/transform.ex) that splices HTML attribute values verbatim without encoding double-quote characters, enabling a crafted link URL or title to break out of the href attribute and inject additional HTML event handlers. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker submits crafted markdown link with embedded double-quote in URL
Delivery
earmark splices URL value verbatim into href attribute without encoding
Exploit
Double-quote terminates href attribute early
Execution
Browser parses injected event handler bytes as valid HTML attribute
Persist
Victim loads page containing stored payload
Impact
Arbitrary JavaScript executes in victim's authenticated browser session

Vulnerability AssessmentAI

Exploitation The application must use earmark version 1.4.1 or later to convert markdown to HTML and serve that HTML to other users without an intervening HTML sanitization step. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment A notable inconsistency exists in the provided CVSS 4.0 vector: AV:L (Local) conflicts with the vulnerability description, which clearly depicts a network-delivered stored XSS - a remotely submitted markdown payload stored server-side and later rendered in a victim's browser. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with access to a markdown-accepting input field (such as a comment box, wiki editor, or issue tracker) submits the payload `[click](http://example.com/?a=x" onerror="alert(document.cookie))` and the content is stored server-side. When any user's browser loads the page containing the earmark-rendered HTML, the injected `onerror` attribute fires, executing JavaScript that exfiltrates the victim's session cookie to an attacker-controlled endpoint. …
Remediation No vendor-released patch will be issued; earmark is officially retired and the maintainer has confirmed no fix will be released. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-48591 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy