Description
showdown contains a cross-site scripting vulnerability in metadata title handling that allows attackers to inject arbitrary HTML and JavaScript. When completeHTMLDocument option is enabled, unescaped less-than and greater-than characters in markdown frontmatter metadata are inserted directly into HTML title tags, enabling attackers to break out of the title context and execute malicious scripts in the rendered page.
Published: 2026-07-06
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an XSS flaw where unescaped title characters from markdown metadata are inserted into <title> tags when the rendering option is enabled, allowing arbitrary HTML or JavaScript to be executed in the user’s browser. The flaw can lead to script execution, potentially compromising user data or session information, but does not affect server‑side code or data directly.

Affected Systems

Nodes that use the Showdown Markdown library (showdownjs:showdown) in a Node.js environment are affected when the completeHTMLDocument option is used. The CVE editorial notes no specific version constraints; thus any deployment using the vulnerable code base must be evaluated but exact impacted releases are not identified.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity, and the absence of an EPSS score means the likelihood of exploitation is currently unknown. The vulnerability is not listed in the CISA KEV catalog, implying no confirmed active exploitation in the wild. An attacker must be able to supply crafted markdown that is rendered with completeHTMLDocument enabled, which is typically possible for public content streams or external contributors. If exploited in a web application that presents rendered markdown to users, the attacker could run arbitrary scripts within the victim’s browser context.

Generated by OpenCVE AI on July 7, 2026 at 05:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Showdown to a version that removes the XSS flaw or applies the library provider’s patch as soon as it is released.
  • Restrict or sanitize incoming markdown frontmatter by disabling the completeHTMLDocument option or by removing unescaped characters before rendering.
  • Enable CSP headers that block execution of inline scripts and report violations to detect potential exploitation.

Generated by OpenCVE AI on July 7, 2026 at 05:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Jul 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 06 Jul 2026 21:15:00 +0000

Type Values Removed Values Added
Description showdown contains a cross-site scripting vulnerability in metadata title handling that allows attackers to inject arbitrary HTML and JavaScript. When completeHTMLDocument option is enabled, unescaped less-than and greater-than characters in markdown frontmatter metadata are inserted directly into HTML title tags, enabling attackers to break out of the title context and execute malicious scripts in the rendered page.
Title showdown - Cross-Site Scripting via Unescaped Metadata Title in completeHTMLDocument
First Time appeared Showdownjs
Showdownjs showdown
Weaknesses CWE-79
CPEs cpe:2.3:a:showdownjs:showdown:*:*:*:*:*:node.js:*:*
Vendors & Products Showdownjs
Showdownjs showdown
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}


Subscriptions

Showdownjs Showdown
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-07-07T14:06:55.895Z

Reserved: 2026-07-06T15:31:46.188Z

Link: CVE-2026-59711

cve-icon Vulnrichment

Updated: 2026-07-07T14:06:36.349Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-07T05:15:03Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')