Skip to main content

showdown EUVDEUVD-2026-41954

| CVE-2026-59710 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-06 VulnCheck GHSA-22g5-r2x5-97cx
5.3
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.1 MEDIUM

Network-delivered stored XSS, no privileges needed from attacker, passive victim view required, scope change to victim browser with low C and I impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 06, 2026 - 22:45 vuln.today

DescriptionCVE.org

showdown contains a stored cross-site scripting vulnerability in the parseHeaders function of src/subParsers/makehtml/tables.js that fails to properly escape table header ID attributes. Attackers can inject arbitrary HTML and script-executing SVG elements through double-quote characters in markdown table headers, achieving stored XSS when untrusted markdown is rendered with the default github flavor configuration.

AnalysisAI

Stored cross-site scripting in the showdown JavaScript Markdown-to-HTML library allows an unauthenticated attacker to inject arbitrary HTML and script-executing SVG elements by placing double-quote characters inside Markdown table headers. The unescaped content is written directly into HTML id attributes by the parseHeaders function in src/subParsers/makehtml/tables.js, and the payload is stored and later executed in every victim's browser that views the rendered output. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft Markdown table with double-quote injection in header
Delivery
Submit to showdown-rendered application
Exploit
parseHeaders writes unescaped input into id attribute
Execution
Store rendered HTML with injected SVG or event handler
Persist
Victim loads page containing stored payload
Impact
Injected script executes in victim browser context

Vulnerability AssessmentAI

Exploitation Exploitation requires three concurrent conditions: (1) the target application uses showdown configured with github flavor (the library default), which activates table header ID attribute generation in the parseHeaders function; (2) the application accepts Markdown input from a potentially malicious user - anonymous or authenticated - and stores or relays the rendered HTML output to other users (stored XSS pattern); and (3) at least one victim user passively views a page containing the rendered Markdown (CVSS UI:P). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 5.3 (Medium) reflects network reachability (AV:N), no authentication requirement on the attacker side (PR:N), low complexity (AC:L), and passive user interaction (UI:P), with low-level confidentiality and integrity impact to both the vulnerable system and downstream users (VC:L/VI:L/SC:L/SI:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker posts a Markdown comment to a wiki or issue tracker powered by showdown, embedding a table header such as '| foo" onmouseover="alert(1)" x="' which breaks out of the generated id attribute. When the application stores and re-renders this Markdown for other users, the injected SVG or event-handler payload executes in each victim's browser, enabling the attacker to steal session cookies or perform authenticated actions. …
Remediation Upstream fix available via commit e5cab1e9a5dcea2bb3cbf888863fa7e65ab37edf (https://github.com/showdownjs/showdown/commit/e5cab1e9a5dcea2bb3cbf888863fa7e65ab37edf); a released patched npm version is not independently confirmed from the available data - monitor the showdown npm package and GitHub releases for a tagged version that includes this commit, then upgrade as soon as one is available. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-41954 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy