Impact
The vulnerability is an XSS flaw where unescaped title characters from markdown metadata are inserted into <title> tags when the rendering option is enabled, allowing arbitrary HTML or JavaScript to be executed in the user’s browser. The flaw can lead to script execution, potentially compromising user data or session information, but does not affect server‑side code or data directly.
Affected Systems
Nodes that use the Showdown Markdown library (showdownjs:showdown) in a Node.js environment are affected when the completeHTMLDocument option is used. The CVE editorial notes no specific version constraints; thus any deployment using the vulnerable code base must be evaluated but exact impacted releases are not identified.
Risk and Exploitability
The CVSS score of 5.3 indicates a moderate severity, and the absence of an EPSS score means the likelihood of exploitation is currently unknown. The vulnerability is not listed in the CISA KEV catalog, implying no confirmed active exploitation in the wild. An attacker must be able to supply crafted markdown that is rendered with completeHTMLDocument enabled, which is typically possible for public content streams or external contributors. If exploited in a web application that presents rendered markdown to users, the attacker could run arbitrary scripts within the victim’s browser context.
OpenCVE Enrichment