GHSA-22g5-r2x5-97cxMediumCVSS 6.1
showdown contains a stored cross-site scripting vulnerability in the parseHeaders function of src...
🔗 CVE IDs covered (1)
📋 Description
showdown contains a stored cross-site scripting vulnerability in the parseHeaders function of src/subParsers/makehtml/tables.js that fails to properly escape table header ID attributes. Attackers can inject arbitrary HTML and script-executing SVG elements through double-quote characters in markdown table headers, achieving stored XSS when untrusted markdown is rendered with the default github flavor configuration.
🔗 References (6)
- https://nvd.nist.gov/vuln/detail/CVE-2026-59710
- https://github.com/showdownjs/showdown/issues/1046
- https://github.com/showdownjs/showdown/commit/e5cab1e9a5dcea2bb3cbf888863fa7e65ab37edf
- https://github.com/showdownjs/showdown
- https://www.vulncheck.com/advisories/showdown-stored-xss-via-unescaped-table-header-id-attribute-injection
- https://github.com/advisories/GHSA-22g5-r2x5-97cx