Skip to main content

Showdown

3 CVEs product

Monthly

CVE-2026-59710 MEDIUM PATCH This Month

Stored cross-site scripting in the showdown JavaScript Markdown-to-HTML library allows an unauthenticated attacker to inject arbitrary HTML and script-executing SVG elements by placing double-quote characters inside Markdown table headers. The unescaped content is written directly into HTML id attributes by the parseHeaders function in src/subParsers/makehtml/tables.js, and the payload is stored and later executed in every victim's browser that views the rendered output. No active exploitation has been confirmed (not in CISA KEV) and no EPSS data was supplied, but the default github flavor configuration means most showdown deployments are affected without any non-default setup required.

XSS Showdown
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-59711 MEDIUM This Month

Cross-site scripting in Showdown (all versions ≤ 2.1.0) allows network-accessible injection of arbitrary HTML and JavaScript into rendered pages when the non-default `completeHTMLDocument` option is enabled. Unescaped `<` and `>` characters in Markdown frontmatter `title` metadata are written directly into the HTML `<title>` element, enabling title-context breakout and script execution in victim browsers. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the attack surface includes any web application that renders attacker-supplied Markdown with `completeHTMLDocument` enabled.

XSS Showdown
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2024-1899 npm MEDIUM POC This Month

An issue in the anchors subparser of Showdownjs versions <= 2.1.0 could allow a remote attacker to cause denial of service conditions. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Showdown
NVD
CVSS 3.1
5.3
EPSS
0.8%
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Stored cross-site scripting in the showdown JavaScript Markdown-to-HTML library allows an unauthenticated attacker to inject arbitrary HTML and script-executing SVG elements by placing double-quote characters inside Markdown table headers. The unescaped content is written directly into HTML id attributes by the parseHeaders function in src/subParsers/makehtml/tables.js, and the payload is stored and later executed in every victim's browser that views the rendered output. No active exploitation has been confirmed (not in CISA KEV) and no EPSS data was supplied, but the default github flavor configuration means most showdown deployments are affected without any non-default setup required.

XSS Showdown
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Cross-site scripting in Showdown (all versions ≤ 2.1.0) allows network-accessible injection of arbitrary HTML and JavaScript into rendered pages when the non-default `completeHTMLDocument` option is enabled. Unescaped `<` and `>` characters in Markdown frontmatter `title` metadata are written directly into the HTML `<title>` element, enabling title-context breakout and script execution in victim browsers. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the attack surface includes any web application that renders attacker-supplied Markdown with `completeHTMLDocument` enabled.

XSS Showdown
NVD GitHub VulDB
EPSS 1% CVSS 5.3
MEDIUM POC This Month

An issue in the anchors subparser of Showdownjs versions <= 2.1.0 could allow a remote attacker to cause denial of service conditions. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Showdown
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy