Description
showdown contains a stored cross-site scripting vulnerability in the parseHeaders function of src/subParsers/makehtml/tables.js that fails to properly escape table header ID attributes. Attackers can inject arbitrary HTML and script-executing SVG elements through double-quote characters in markdown table headers, achieving stored XSS when untrusted markdown is rendered with the default github flavor configuration.
Published: 2026-07-06
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw in Showdown’s parser for markdown tables. By injecting malformed table header IDs that contain double‑quote characters, attackers can embed arbitrary HTML or script‑executing SVG elements. When this corrupted markdown is later rendered with the default GitHub flavor configuration, the malicious content executes in the victim’s browser, enabling defacement, cookie theft, or other client‑side attacks. The weakness is a classic input‑validation failure, classified as CWE‑79.

Affected Systems

Showdown.js, an open‑source markdown converter for Node.js and browsers, is affected. All current and previously released versions include the unescaped header‑ID handling, and no specific version limits are provided. Any installation that parses markdown tables for HTML output is vulnerable.

Risk and Exploitability

The CVSS score of 5.3 reflects a moderate severity. EPSS data is not available, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires an attacker to provide persistent, untrusted markdown containing malicious table header structures. In applications that render user‑generated content with Showdown without additional sanitization, the XSS can be triggered by any visitor, making the risk notable for projects embedding markdown processing.

Generated by OpenCVE AI on July 7, 2026 at 05:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Showdown to the latest release that includes the parser fix
  • If upgrading is not possible, sanitize the output by stripping or escaping the id attribute on table headers before rendering
  • Configure the renderer to disable raw HTML or use a third‑party sanitizing library such as DOMPurify

Generated by OpenCVE AI on July 7, 2026 at 05:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Jul 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 06 Jul 2026 21:45:00 +0000

Type Values Removed Values Added
Description showdown contains a stored cross-site scripting vulnerability in the parseHeaders function of src/subParsers/makehtml/tables.js that fails to properly escape table header ID attributes. Attackers can inject arbitrary HTML and script-executing SVG elements through double-quote characters in markdown table headers, achieving stored XSS when untrusted markdown is rendered with the default github flavor configuration.
Title showdown - Stored XSS via Unescaped Table Header ID Attribute Injection
First Time appeared Showdownjs
Showdownjs showdown
Weaknesses CWE-79
CPEs cpe:2.3:a:showdownjs:showdown:*:*:*:*:*:node.js:*:*
Vendors & Products Showdownjs
Showdownjs showdown
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}


Subscriptions

Showdownjs Showdown
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-07-07T13:47:54.393Z

Reserved: 2026-07-06T15:31:46.188Z

Link: CVE-2026-59710

cve-icon Vulnrichment

Updated: 2026-07-07T12:44:43.850Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-07T05:15:03Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')