CVE-2026-59711

Source
https://cve.org/CVERecord?id=CVE-2026-59711
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-59711.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-59711
Published
2026-07-06T21:00:38.491Z
Modified
2026-07-09T03:51:27.422451163Z
Severity
  • 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
showdown - Cross-Site Scripting via Unescaped Metadata Title in completeHTMLDocument
Details

showdown contains a cross-site scripting vulnerability in metadata title handling that allows attackers to inject arbitrary HTML and JavaScript. When completeHTMLDocument option is enabled, unescaped less-than and greater-than characters in markdown frontmatter metadata are inserted directly into HTML title tags, enabling attackers to break out of the title context and execute malicious scripts in the rendered page.

Database specific
{
    "cna_assigner": "VulnCheck",
    "cwe_ids": [
        "CWE-79"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/59xxx/CVE-2026-59711.json"
}
References

Affected packages

Git / github.com/showdownjs/showdown

Affected ranges

Type
GIT
Repo
https://github.com/showdownjs/showdown
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.1.0"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

0.*
0.4.0
0.5.0
0.5.1
1.*
1.0.0
1.0.0-alpha.2
1.0.0-alpha1
1.0.1
1.0.2
1.1.0
1.2.0
1.2.1
1.2.2
1.3.0
1.4.0
1.4.2
1.4.3
1.4.4
1.5.0
1.5.1
1.5.2
1.5.3
1.5.4
1.5.5
1.6.0
1.6.1
1.6.2
1.6.3
1.6.4
1.7.0
1.7.1
1.7.2
1.7.3
1.7.4
1.7.5
1.7.6
1.8.0
1.8.1
1.8.2
1.8.3
1.8.4
1.8.5
1.8.6
1.8.7
1.9.0
1.9.1
2.*
2.0.0
2.0.0-alpha
2.0.1
2.0.2
2.0.3
2.0.4
2.1.0
v0.*
v0.3.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-59711.json"