Showdown
Monthly
Stored cross-site scripting in the showdown JavaScript Markdown-to-HTML library allows an unauthenticated attacker to inject arbitrary HTML and script-executing SVG elements by placing double-quote characters inside Markdown table headers. The unescaped content is written directly into HTML id attributes by the parseHeaders function in src/subParsers/makehtml/tables.js, and the payload is stored and later executed in every victim's browser that views the rendered output. No active exploitation has been confirmed (not in CISA KEV) and no EPSS data was supplied, but the default github flavor configuration means most showdown deployments are affected without any non-default setup required.
Cross-site scripting in Showdown (all versions ≤ 2.1.0) allows network-accessible injection of arbitrary HTML and JavaScript into rendered pages when the non-default `completeHTMLDocument` option is enabled. Unescaped `<` and `>` characters in Markdown frontmatter `title` metadata are written directly into the HTML `<title>` element, enabling title-context breakout and script execution in victim browsers. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the attack surface includes any web application that renders attacker-supplied Markdown with `completeHTMLDocument` enabled.
An issue in the anchors subparser of Showdownjs versions <= 2.1.0 could allow a remote attacker to cause denial of service conditions. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Stored cross-site scripting in the showdown JavaScript Markdown-to-HTML library allows an unauthenticated attacker to inject arbitrary HTML and script-executing SVG elements by placing double-quote characters inside Markdown table headers. The unescaped content is written directly into HTML id attributes by the parseHeaders function in src/subParsers/makehtml/tables.js, and the payload is stored and later executed in every victim's browser that views the rendered output. No active exploitation has been confirmed (not in CISA KEV) and no EPSS data was supplied, but the default github flavor configuration means most showdown deployments are affected without any non-default setup required.
Cross-site scripting in Showdown (all versions ≤ 2.1.0) allows network-accessible injection of arbitrary HTML and JavaScript into rendered pages when the non-default `completeHTMLDocument` option is enabled. Unescaped `<` and `>` characters in Markdown frontmatter `title` metadata are written directly into the HTML `<title>` element, enabling title-context breakout and script execution in victim browsers. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the attack surface includes any web application that renders attacker-supplied Markdown with `completeHTMLDocument` enabled.
An issue in the anchors subparser of Showdownjs versions <= 2.1.0 could allow a remote attacker to cause denial of service conditions. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.