CVE-2026-59711

medium

Description

showdown contains a cross-site scripting vulnerability in metadata title handling that allows attackers to inject arbitrary HTML and JavaScript. When completeHTMLDocument option is enabled, unescaped less-than and greater-than characters in markdown frontmatter metadata are inserted directly into HTML title tags, enabling attackers to break out of the title context and execute malicious scripts in the rendered page.

References

https://www.vulncheck.com/advisories/showdown-cross-site-scripting-via-unescaped-metadata-title-in-completehtmldocument

https://github.com/showdownjs/showdown/issues/1047

https://github.com/showdownjs/showdown

Details

Source: Mitre, NVD

Published: 2026-07-06

Updated: 2026-07-07

Risk Information

CVSS v2

Base Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 6.1

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Severity: Medium

CVSS v4

Base Score: 5.3

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Severity: Medium

EPSS

EPSS: 0.00187