CVE-2026-59710 in showdown
Zusammenfassung
von MITRE • 07.07.2026
showdown contains a stored cross-site scripting vulnerability in the parseHeaders function of src/subParsers/makehtml/tables.js that fails to properly escape table header ID attributes. Attackers can inject arbitrary HTML and script-executing SVG elements through double-quote characters in markdown table headers, achieving stored XSS when untrusted markdown is rendered with the default github flavor configuration.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.