Impact
The vulnerability is a stored cross‑site scripting flaw in Showdown’s parser for markdown tables. By injecting malformed table header IDs that contain double‑quote characters, attackers can embed arbitrary HTML or script‑executing SVG elements. When this corrupted markdown is later rendered with the default GitHub flavor configuration, the malicious content executes in the victim’s browser, enabling defacement, cookie theft, or other client‑side attacks. The weakness is a classic input‑validation failure, classified as CWE‑79.
Affected Systems
Showdown.js, an open‑source markdown converter for Node.js and browsers, is affected. All current and previously released versions include the unescaped header‑ID handling, and no specific version limits are provided. Any installation that parses markdown tables for HTML output is vulnerable.
Risk and Exploitability
The CVSS score of 5.3 reflects a moderate severity. EPSS data is not available, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires an attacker to provide persistent, untrusted markdown containing malicious table header structures. In applications that render user‑generated content with Showdown without additional sanitization, the XSS can be triggered by any visitor, making the risk notable for projects embedding markdown processing.
OpenCVE Enrichment