← Back to CVE feed
CVE-2026-59710
Description
showdown contains a stored cross-site scripting vulnerability in the parseHeaders function of src/subParsers/makehtml/tables.js that fails to properly escape table header ID attributes. Attackers can inject arbitrary HTML and script-executing SVG elements through double-quote characters in markdown table headers, achieving stored XSS when untrusted markdown is rendered with the default github flavor configuration.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NReferences
- https://github.com/showdownjs/showdown
- https://github.com/showdownjs/showdown/commit/e5cab1e9a5dcea2bb3cbf888863fa7e65ab37edf
- https://github.com/showdownjs/showdown/issues/1046
- https://www.vulncheck.com/advisories/showdown-stored-xss-via-unescaped-table-header-id-attribute-injection
- https://github.com/showdownjs/showdown/issues/1046