Description
Improper Neutralization of Script in Attributes in a Web Page vulnerability in pragdave earmark allows stored cross-site scripting via unescaped HTML attribute values.

'Elixir.Earmark.Transform':_make_att1/2 in lib/earmark/transform.ex splices attribute values verbatim between two literal " bytes: [" ", name, "=\"", value, "\""]. Text nodes are routed through the existing escape function which encodes " as &quot;, but attribute values never visit that path. A markdown link whose URL or title contains a bare " closes the attribute early and lets the trailing bytes be parsed by the browser as fresh HTML attributes. For example, [click](http://example.com/?a=x" onerror="alert(1)) renders as <a href="http://example.com/?a=x" onerror="alert(1)">click</a>, executing arbitrary JavaScript in the victim's browser.

The earmark library is no longer maintained and has been retired on Hex. No patched version will be released. All releases from 1.4.1 onward are affected, and users should migrate to a maintained Markdown library such as MDEx.

This issue affects earmark from 1.4.1 onward.
Published: 2026-06-17
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The earmark Markdown parser for Elixir contains a stored cross‑site scripting flaw that arises when the library inserts attribute values directly into HTML tags without escaping quotation marks. A crafted Markdown link whose URL or title contains an unescaped quote followed by a JavaScript event handler causes the generated HTML element to include a new attribute. When a browser renders this output, the injected script runs in the user’s context, allowing the attacker to steal session cookies, deface content, or perform other malicious actions.

Affected Systems

The vulnerability affects the earmark library released by the original author pragdave, with all versions from 1.4.1 upward being susceptible. Any Elixir application that incorporates earmark 1.4.1 or later to render user‑supplied Markdown is at risk.

Risk and Exploitability

The CVSS score of 4.8 denotes a moderate impact, and the EPSS value of less than 1% indicates a very small current exploitation probability. The vulnerability does not appear in CISA’s KEV catalog. Exploitation requires an attacker to inject a specially crafted Markdown link that contains an unescaped quotation mark and an event attribute, which must be stored and later rendered by a web application. If the application exposes this rendered content to the browser, the injected JavaScript executes in the victim’s session.

Generated by OpenCVE AI on June 18, 2026 at 19:23 UTC.

Remediation

Vendor Workaround

Migrate to a maintained Markdown library such as MDEx (https://hex.pm/packages/mdex). The earmark package has been retired on Hex and no patched release will be made.

OpenCVE Recommended Actions

  • Replace earmark with a maintained Markdown library such as MDEx, which is actively supported and performs proper attribute escaping.
  • Configure the new renderer to disallow raw HTML or ensure all attributes are sanitized, preventing uncontrolled script injection.
  • Validate the fix by attempting to inject a malicious Markdown link containing a quote and an event attribute; confirm no JavaScript executes in browsers that receive the rendered content.

Generated by OpenCVE AI on June 18, 2026 at 19:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-52mm-h59v-f3c7 earmark: Stored XSS via unescaped HTML attribute values
History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Script in Attributes in a Web Page vulnerability in pragdave earmark allows stored cross-site scripting via unescaped HTML attribute values. 'Elixir.Earmark.Transform':_make_att1/2 in lib/earmark/transform.ex splices attribute values verbatim between two literal " bytes: [" ", name, "=\"", value, "\""]. Text nodes are routed through the existing escape function which encodes " as &quot;, but attribute values never visit that path. A markdown link whose URL or title contains a bare " closes the attribute early and lets the trailing bytes be parsed by the browser as fresh HTML attributes. For example, [click](http://example.com/?a=x" onerror="alert(1)) renders as <a href="http://example.com/?a=x" onerror="alert(1)">click</a>, executing arbitrary JavaScript in the victim's browser. The earmark library is no longer maintained and has been retired on Hex. No patched version will be released. All releases from 1.4.1 onward are affected, and users should migrate to a maintained Markdown library such as MDEx. This issue affects earmark from 1.4.1 onward.
Title Stored XSS via unescaped HTML attribute values in earmark
First Time appeared Pragdave
Pragdave earmark
Weaknesses CWE-83
CPEs cpe:2.3:a:pragdave:earmark:*:*:*:*:*:*:*:*
Vendors & Products Pragdave
Pragdave earmark
References
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Pragdave Earmark
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-06-18T04:45:59.864Z

Reserved: 2026-05-22T09:36:56.834Z

Link: CVE-2026-48591

cve-icon Vulnrichment

Updated: 2026-06-17T18:25:50.701Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T20:30:05Z

Weaknesses
  • CWE-83

    Improper Neutralization of Script in Attributes in a Web Page