Back to overview

CVE-2026-59710

MEDIUM
6.1
CVSS 3.1
Description
showdown contains a stored cross-site scripting vulnerability in the parseHeaders function of src/subParsers/makehtml/tables.js that fails to properly escape table header ID attributes. Attackers can inject arbitrary HTML and script-executing SVG elements through double-quote characters in markdown table headers, achieving stored XSS when untrusted markdown is rendered with the default github flavor configuration.

Metadata

CVE ID
CVE-2026-59710
State
PUBLISHED
Assigner
VulnCheck
Reserved
2026-07-06 15:31 UTC
Published
2026-07-06 21:15 UTC
Last updated
2026-07-07 00:09 UTC
Primary CWE
CWE-79
Improper Neutralization of Input During Web Page Generation …
Vendor / Product
showdown / showdown
Sources
cve.org  ·  NVD

Severity & Metrics

6.1 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Affected products (1)
VendorProductPlatformVersions
showdown showdown 0 ≤ 2.1.0
Weakness (CWE)
CWESourceDescription
CWE-79 cna Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS scores (2)
ScoreSeverityVersionSourceVector
6.1 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
5.3 MEDIUM 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
Back to overview