Stored Cross-Site Scripting Vulnerability in Pragdave Earmark Library
CVE-2026-48591

4.8MEDIUM

Key Information:

Vendor: Pragdave
Status: Earmark
Vendor: CVE Published:; 17 June 2026

What is CVE-2026-48591?

The Pragdave Earmark library exhibits a vulnerability that allows for stored cross-site scripting (XSS) due to improper handling of HTML attribute values. Specifically, when a markdown link’s URL or title contains an unescaped double quote, it prematurely terminates the attribute and permits the browser to process subsequent bytes as authenticated HTML attributes. This can enable attackers to execute arbitrary JavaScript in the victim's browser, which poses a significant risk of compromising user data and security. Notably, the Earmark library is no longer maintained, with no patched versions released; therefore, users are strongly advised to migrate to an actively maintained Markdown library such as MDEx.

Affected Version(s)

earmark 1.4.1

earmark 8236a0570bd894b50e360da08131ec3294c20799

References

https://cna.erlef.org/cves/CVE-2026-48591.html

relatedthird-party-advisory

https://osv.dev/vulnerability/EEF-CVE-2026-48591

CVSS V4

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 17, 2026
Vulnerability Reserved
May 22, 2026

Credit

Peter Ullrich

Robert Dober

Jonatan Männchen / EEF

CVE-2026-48591 Data

JSON