CVE-2026-41591

Source
https://cve.org/CVERecord?id=CVE-2026-41591
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-41591.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-41591
Aliases
Published
2026-05-08T15:22:50.990Z
Modified
2026-07-15T01:49:00.143339938Z
Severity
  • 6.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N CVSS Calculator
Summary
Marko: XSS via case-insensitive script/style closing tag bypass in runtime HTML escaping
Details

Marko is a declarative, HTML-based language for building web apps. Prior to marko version 5.38.36 and prior to @marko/runtime-tags 6.0.164, when dynamic text is interpolated into a <script> or <style> tag the Marko runtime failed to prevent tag breakout when the closing tag used non-lowercase casing. An attacker able to place input inside a <script> or <style> block could break out of the tag with </SCRIPT>, </Style>, etc. and inject arbitrary HTML/JavaScript, resulting in cross-site scripting. This issue has been patched in marko version 5.38.36 and @marko/runtime-tags 6.0.164.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41591.json",
    "cwe_ids": [
        "CWE-79"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/marko-js/marko

Affected ranges

Type
GIT
Repo
https://github.com/marko-js/marko
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "marko < 5.38.36"
        },
        {
            "last_affected": "marko < 5.38.36"
        },
        {
            "introduced": "@marko/runtime-tags < 6.0.164"
        },
        {
            "last_affected": "@marko/runtime-tags < 6.0.164"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

@marko/runtime-tags@6.*
@marko/runtime-tags@6.0.164
marko < 5.*
marko < 5.38.36
marko@5.*
marko@5.38.36

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-41591.json"