GHSA-cr32-g25g-vxjjMediumCVSS 6.1
showdown contains a cross-site scripting vulnerability in metadata title handling that allows...
🔗 CVE IDs covered (1)
📋 Description
showdown contains a cross-site scripting vulnerability in metadata title handling that allows attackers to inject arbitrary HTML and JavaScript. When completeHTMLDocument option is enabled, unescaped less-than and greater-than characters in markdown frontmatter metadata are inserted directly into HTML title tags, enabling attackers to break out of the title context and execute malicious scripts in the rendered page.
🔗 References (5)
- https://nvd.nist.gov/vuln/detail/CVE-2026-59711
- https://github.com/showdownjs/showdown/issues/1047
- https://github.com/showdownjs/showdown
- https://www.vulncheck.com/advisories/showdown-cross-site-scripting-via-unescaped-metadata-title-in-completehtmldocument
- https://github.com/advisories/GHSA-cr32-g25g-vxjj