๐Ÿ” CVE Alert

CVE-2026-59711

MEDIUM 6.1

showdown - Cross-Site Scripting via Unescaped Metadata Title in completeHTMLDocument

CVSS Score
6.1
EPSS Score
0.2%
EPSS Percentile
9th

showdown contains a cross-site scripting vulnerability in metadata title handling that allows attackers to inject arbitrary HTML and JavaScript. When completeHTMLDocument option is enabled, unescaped less-than and greater-than characters in markdown frontmatter metadata are inserted directly into HTML title tags, enabling attackers to break out of the title context and execute malicious scripts in the rendered page.

CWE CWE-79
Vendor showdown
Product showdown
Published Jul 6, 2026
Last Updated Jul 7, 2026
Stay Ahead of the Next One

Get instant alerts for showdown showdown

Be the first to know when new medium vulnerabilities affecting showdown showdown are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Affected Versions

showdown / showdown
0 โ‰ค 2.1.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/showdownjs/showdown/issues/1047 github.com: https://github.com/showdownjs/showdown vulncheck.com: https://www.vulncheck.com/advisories/showdown-cross-site-scripting-via-unescaped-metadata-title-in-completehtmldocument

Credits

๐Ÿ” Scott Moore - VulnCheck