Stored Cross-Site Scripting Vulnerability in Showdown by ShowdownJS
CVE-2026-59710

5.3MEDIUM

Key Information:

Vendor

Showdown

Status
Vendor
CVE Published:
6 July 2026

What is CVE-2026-59710?

A stored cross-site scripting vulnerability exists in Showdown's markdown parsing feature. This flaw occurs in the parseHeaders function, particularly due to improper escaping of table header ID attributes. By exploiting this vulnerability, attackers can inject malicious HTML and executable SVG elements through crafted markdown table headers. When such untrusted markdown is rendered under the default GitHub flavor configuration, it could lead to the execution of arbitrary scripts, compromising the security of user data and applications reliant on this library.

Affected Version(s)

showdown 0 <= 2.1.0

References

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

vc-smoore
.