Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-delivered stored XSS, no privileges needed from attacker, passive victim view required, scope change to victim browser with low C and I impact.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
showdown contains a stored cross-site scripting vulnerability in the parseHeaders function of src/subParsers/makehtml/tables.js that fails to properly escape table header ID attributes. Attackers can inject arbitrary HTML and script-executing SVG elements through double-quote characters in markdown table headers, achieving stored XSS when untrusted markdown is rendered with the default github flavor configuration.
AnalysisAI
Stored cross-site scripting in the showdown JavaScript Markdown-to-HTML library allows an unauthenticated attacker to inject arbitrary HTML and script-executing SVG elements by placing double-quote characters inside Markdown table headers. The unescaped content is written directly into HTML id attributes by the parseHeaders function in src/subParsers/makehtml/tables.js, and the payload is stored and later executed in every victim's browser that views the rendered output. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires three concurrent conditions: (1) the target application uses showdown configured with github flavor (the library default), which activates table header ID attribute generation in the parseHeaders function; (2) the application accepts Markdown input from a potentially malicious user - anonymous or authenticated - and stores or relays the rendered HTML output to other users (stored XSS pattern); and (3) at least one victim user passively views a page containing the rendered Markdown (CVSS UI:P). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score of 5.3 (Medium) reflects network reachability (AV:N), no authentication requirement on the attacker side (PR:N), low complexity (AC:L), and passive user interaction (UI:P), with low-level confidentiality and integrity impact to both the vulnerable system and downstream users (VC:L/VI:L/SC:L/SI:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker posts a Markdown comment to a wiki or issue tracker powered by showdown, embedding a table header such as '| foo" onmouseover="alert(1)" x="' which breaks out of the generated id attribute. When the application stores and re-renders this Markdown for other users, the injected SVG or event-handler payload executes in each victim's browser, enabling the attacker to steal session cookies or perform authenticated actions. … |
| Remediation | Upstream fix available via commit e5cab1e9a5dcea2bb3cbf888863fa7e65ab37edf (https://github.com/showdownjs/showdown/commit/e5cab1e9a5dcea2bb3cbf888863fa7e65ab37edf); a released patched npm version is not independently confirmed from the available data - monitor the showdown npm package and GitHub releases for a tagged version that includes this commit, then upgrade as soon as one is available. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
An issue in the anchors subparser of Showdownjs versions <= 2.1.0 could allow a remote attacker to cause denial of servi
Cross-site scripting in Showdown (all versions ≤ 2.1.0) allows network-accessible injection of arbitrary HTML and JavaSc
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41954
GHSA-22g5-r2x5-97cx