CVE-2026-59711 PUBLISHED

showdown - Cross-Site Scripting via Unescaped Metadata Title in completeHTMLDocument

Assigner: VulnCheck
Reserved: 06.07.2026 Published: 06.07.2026 Updated: 07.07.2026

showdown contains a cross-site scripting vulnerability in metadata title handling that allows attackers to inject arbitrary HTML and JavaScript. When completeHTMLDocument option is enabled, unescaped less-than and greater-than characters in markdown frontmatter metadata are inserted directly into HTML title tags, enabling attackers to break out of the title context and execute malicious scripts in the rendered page.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
CVSS Score: 5.3

Product Status

Vendor showdown
Product showdown
Versions Default: unaffected
  • affected from 0 to 2.1.0 (incl.)

Credits

  • Scott Moore - VulnCheck reporter

References

Problem Types

  • Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE