Earmark
Monthly
Stored cross-site scripting in earmark (the Elixir Markdown-to-HTML library by pragdave) allows any attacker who can submit markdown content to inject arbitrary JavaScript that executes in the browsers of users who view the rendered output. The root cause is a code path in `_make_att1/2` (`lib/earmark/transform.ex`) that splices HTML attribute values verbatim without encoding double-quote characters, enabling a crafted link URL or title to break out of the `href` attribute and inject additional HTML event handlers. Critically, no patched version will be released - the library has been officially retired from Hex - making migration to a maintained alternative the only complete fix. No public exploit identified at time of analysis, though the CVE description itself contains a working proof-of-concept payload.
Stored cross-site scripting in earmark (the Elixir Markdown-to-HTML library by pragdave) allows any attacker who can submit markdown content to inject arbitrary JavaScript that executes in the browsers of users who view the rendered output. The root cause is a code path in `_make_att1/2` (`lib/earmark/transform.ex`) that splices HTML attribute values verbatim without encoding double-quote characters, enabling a crafted link URL or title to break out of the `href` attribute and inject additional HTML event handlers. Critically, no patched version will be released - the library has been officially retired from Hex - making migration to a maintained alternative the only complete fix. No public exploit identified at time of analysis, though the CVE description itself contains a working proof-of-concept payload.