earmark
CVE-2026-48591
MEDIUM
Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network delivery of stored XSS; PR:L reflects that most applications require an account to submit stored content; victim page-load triggers execution with scope change into browser context.
Primary rating from Vendor (EEF).
CVSS VectorVendor: EEF
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Script in Attributes in a Web Page vulnerability in pragdave earmark allows stored cross-site scripting via unescaped HTML attribute values.
'Elixir.Earmark.Transform':_make_att1/2 in lib/earmark/transform.ex splices attribute values verbatim between two literal " bytes: [" ", name, "=\"", value, "\""]. Text nodes are routed through the existing escape function which encodes " as ", but attribute values never visit that path. A markdown link whose URL or title contains a bare " closes the attribute early and lets the trailing bytes be parsed by the browser as fresh HTML attributes. For example, click) renders as <a href="http://example.com/?a=x" onerror="alert(1)">click</a>, executing arbitrary JavaScript in the victim's browser.
The earmark library is no longer maintained and has been retired on Hex. No patched version will be released. All releases from 1.4.1 onward are affected, and users should migrate to a maintained Markdown library such as MDEx.
This issue affects earmark from 1.4.1 onward.
AnalysisAI
Stored cross-site scripting in earmark (the Elixir Markdown-to-HTML library by pragdave) allows any attacker who can submit markdown content to inject arbitrary JavaScript that executes in the browsers of users who view the rendered output. The root cause is a code path in _make_att1/2 (lib/earmark/transform.ex) that splices HTML attribute values verbatim without encoding double-quote characters, enabling a crafted link URL or title to break out of the href attribute and inject additional HTML event handlers. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The application must use earmark version 1.4.1 or later to convert markdown to HTML and serve that HTML to other users without an intervening HTML sanitization step. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | A notable inconsistency exists in the provided CVSS 4.0 vector: AV:L (Local) conflicts with the vulnerability description, which clearly depicts a network-delivered stored XSS - a remotely submitted markdown payload stored server-side and later rendered in a victim's browser. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with access to a markdown-accepting input field (such as a comment box, wiki editor, or issue tracker) submits the payload `[click](http://example.com/?a=x" onerror="alert(document.cookie))` and the content is stored server-side. When any user's browser loads the page containing the earmark-rendered HTML, the injected `onerror` attribute fires, executing JavaScript that exfiltrates the victim's session cookie to an attacker-controlled endpoint. … |
| Remediation | No vendor-released patch will be issued; earmark is officially retired and the maintainer has confirmed no fix will be released. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today