PatchSiren

showdown CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM showdown CVE published 2026-07-06

CVE-2026-59710

CVE-2026-59710 is a stored cross-site scripting vulnerability in the parseHeaders function of src/subParsers/makehtml/tables.js in showdown. The vulnerability fails to properly escape table header ID attributes, allowing attackers to inject arbitrary HTML and script-executing SVG elements through double-quote characters in markdown table headers, achieving stored XSS when untrusted markdown is rendered wi [truncated]

MEDIUM showdown CVE published 2026-07-06

CVE-2026-59711

The showdown library contains a cross-site scripting vulnerability in its metadata title handling. When the 'completeHTMLDocument' option is enabled, unescaped less-than and greater-than characters in markdown frontmatter metadata are inserted directly into HTML title tags. This allows attackers to break out of the title context and execute malicious scripts in the rendered page. The vulnerability has a C [truncated]