Linux Distros Unpatched Vulnerability : CVE-2020-26237

🗓️ 18 Aug 2025 00:00:00Reported by TenableType

Unpatched Linux host CVE-2020-26237: Highlight.js prototype pollution; upgrade to 9.18.2 or 10.1.2+

Reporter	Title	Published	Views	Family All 31
IBM Security Bulletins	Security Bulletin: Highlight.js Prototype Pollution Vulnerability in Code Block Parsing, affects watsonx.data	8 Apr 202606:42	–	ibm
IBM Security Bulletins	Security Bulletin: Cloud Pak for Security contains packages that have multiple vulnerabilities	1 Apr 202216:38	–	ibm
AstraLinux	Astra Linux - уязвимость в highlight.js	20 May 202605:53	–	astralinux
CNNVD	Highlightjs Security Vulnerability	24 Nov 202000:00	–	cnnvd
CVE	CVE-2020-26237	24 Nov 202023:00	–	cve
Cvelist	CVE-2020-26237 Prototype Pollution in highlight.js	24 Nov 202023:00	–	cvelist
Debian	[SECURITY] [DLA 2511-1] highlight.js security update	30 Dec 202022:37	–	debian
Debian CVE	CVE-2020-26237	24 Nov 202023:00	–	debiancve
Tenable Nessus	Debian DLA-2511-1 : highlight.js security update	4 Jan 202100:00	–	nessus
Tenable Nessus	Oracle MySQL Enterprise Monitor (July 2022 CPU)	20 Jul 202200:00	–	nessus

Source	Link
ubuntu	www.ubuntu.com/security/CVE-2020-26237
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(250926);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/05/21");

  script_cve_id("CVE-2020-26237");

  script_name(english:"Linux Distros Unpatched Vulnerability : CVE-2020-26237");

  script_set_attribute(attribute:"synopsis", value:
"The Linux/Unix host has one or more packages installed with a vulnerability that the vendor indicates will not be
patched.");
  script_set_attribute(attribute:"description", value:
"The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied
patch available.

  - Highlight.js is a syntax highlighter written in JavaScript. Highlight.js versions before 9.18.2 and 10.1.2
    are vulnerable to Prototype Pollution. A malicious HTML code block can be crafted that will result in
    prototype pollution of the base object's prototype during highlighting. If you allow users to insert
    custom HTML code blocks into your page/app via parsing Markdown code blocks (or similar) and do not filter
    the language names the user can provide you may be vulnerable. The pollution should just be harmless data
    but this can cause problems for applications not expecting these properties to exist and can result in
    strange behavior or application crashes, i.e. a potential DOS vector. If your website or application does
    not render user provided data it should be unaffected. Versions 9.18.2 and 10.1.2 and newer include fixes
    for this vulnerability. If you are using version 7 or 8 you are encouraged to upgrade to a newer release.
    (CVE-2020-26237)

Note that Nessus relies on the presence of the package as reported by the vendor.");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/CVE-2020-26237");
  script_set_attribute(attribute:"solution", value:
"There is no known solution at this time.");
  script_set_attribute(attribute:"agent", value:"unix");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:N/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:U/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:U/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-26237");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"vendor_unpatched", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/11/24");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/08/18");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:25.04");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:highlight.js");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2025-2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl", "set_linux_os_id.nasl");
  script_require_keys("Host/cpu", "Host/local_checks_enabled", "global_settings/vendor_unpatched", "Host/OS/identifier");
  script_require_ports("Host/OS/Ubuntu Linux-25.04");

  exit(0);
}

if (!get_kb_item("global_settings/vendor_unpatched")) exit(0, "Unpatched Vulnerabilities Detection not active.");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (empty_or_null(get_one_kb_item("Host/Debian/dpkg-l"))) audit(AUDIT_PACKAGE_LIST_MISSING);

include('linux_unpatched.inc');

var distro_constraints_array = {
  "Ubuntu Linux-25.04": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "25.04",
        "pkgs": [
          {"reference": "highlight.js"}
        ]
      }
    ]
  }
};

var distro_constraints_values = linux_unpatched::get_distro_constraints(distro_constraints_arr:distro_constraints_array);
if (empty_or_null(distro_constraints_values)) audit(AUDIT_HOST_NOT, 'affected');
var report = linux_unpatched::check_unpatched_constraints(distro_constraints_values:distro_constraints_values);

if (!empty_or_null(report))
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : report
  );
  exit(0);
}
else
{
  audit(AUDIT_HOST_NOT, 'affected');
}

21 May 2026 00:00Current

6.9Medium risk

Vulners AI Score6.9

CVSS 24.9

CVSS 3.15.8 - 8.7

EPSS0.00602