Lucene search
K

210 matches found

Circl
Circl
added 2026/06/26 10:35 p.m.5 views

CVE-2026-48801

creationtimestamp| type| source ---|---|--- 2026-06-26 22:35:32+00:00| published-proof-of-concept| https://github.com/markdown-it/linkify-it/security/advisories/GHSA-22p9-wv53-3rq4...

5.8AI score
Exploits0References1
IBM Security Bulletins
IBM Security Bulletins
added 2026/06/22 2:27 p.m.3 views

Security Bulletin: DataStage on Cloud Pak for Data has several vulnerabilities due to open source software

Summary Open source packages are used as part of the overall processing in DataStage on Cloud Pak for Data. Vulnerability Details CVEID:CVE-2025-13465 DESCRIPTION: Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the .unset and .omit functions. An attacker can pass...

9.8CVSS6.8AI score0.01535EPSS
Exploits1Affected Software1
Tenable Nessus
Tenable Nessus
added 2026/06/20 12:0 a.m.7 views

Linux Distros Unpatched Vulnerability : CVE-2026-48988

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - markdown-it is a Markdown parser. Versions 14.1.1 and below contain a denial-of-service vulnerability when typographer: true is enabled, due to quadratic On^2...

5.3CVSS5.9AI score0.00306EPSS
Exploits1References3
OSV
OSV
added 2026/06/17 9:16 p.m.5 views

DEBIAN-CVE-2026-48988

markdown-it is a Markdown parser. Versions 14.1.1 and below contain a denial-of-service vulnerability when typographer: true is enabled, due to quadratic On^2 processing in the smartquotes rule. The issue stems from repeatedly modifying strings with replaceAt, which performs On slicing and...

5.3CVSS5.2AI score0.00306EPSS
Exploits1References1
NVD
NVD
added 2026/06/17 9:16 p.m.12 views

CVE-2026-48988

markdown-it is a Markdown parser. Versions 14.1.1 and below contain a denial-of-service vulnerability when typographer: true is enabled, due to quadratic On^2 processing in the smartquotes rule. The issue stems from repeatedly modifying strings with replaceAt, which performs On slicing and...

5.3CVSS0.00306EPSS
Exploits1References2
OSV
OSV
added 2026/06/17 9:16 p.m.6 views

UBUNTU-CVE-2026-48988

markdown-it is a Markdown parser. Versions 14.1.1 and below contain a denial-of-service vulnerability when typographer: true is enabled, due to quadratic On^2 processing in the smartquotes rule. The issue stems from repeatedly modifying strings with replaceAt, which performs On slicing and...

5.3CVSS5.7AI score0.00306EPSS
Exploits1References4
CVE
CVE
added 2026/06/17 8:54 p.m.39 views

CVE-2026-48988

markdown-it is affected by a Denial-of-Service vulnerability (CVE-2026-48988) when typographer: true is enabled. Versions 14.1.1 and earlier process smartquotes with a quadratic time complexity due to repeated uses of replaceAt(), causing high CPU usage on quote-heavy inputs. The issue can degrad...

5.3CVSS5.2AI score0.00306EPSS
Exploits1References2Affected Software1
Debian CVE
Debian CVE
added 2026/06/17 8:54 p.m.8 views

CVE-2026-48988

markdown-it is a Markdown parser. Versions 14.1.1 and below contain a denial-of-service vulnerability when typographer: true is enabled, due to quadratic On^2 processing in the smartquotes rule. The issue stems from repeatedly modifying strings with replaceAt, which performs On slicing and...

5.3CVSS5.2AI score0.00306EPSS
Exploits1
OSV
OSV
added 2026/06/15 8:41 p.m.8 views

GHSA-6V5V-WF23-FMFQ markdown-it: Quadratic complexity DoS in smartquotes rule via replaceAt string operations

Summary A quadratic time complexity vulnerability exists in markdown-it's smartquotes rule enabled via the typographer: true option. An attacker can craft a markdown input consisting of consecutive quotation marks that causes the parser to consume excessive CPU time, leading to denial of service...

5.3CVSS5.4AI score0.00306EPSS
Exploits1References2
Snyk
Snyk
added 2026/06/15 8:41 p.m.7 views

Inefficient Algorithmic Complexity

Overview org.webjars.npm:markdown-it is a modern pluggable markdown parser. Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity through the replaceAt function in the smartquotes rule when processing markdown input with a large number of consecutive quotation mar...

6.9CVSS6AI score0.00306EPSS
Exploits1References2
Github Security Blog
Github Security Blog
added 2026/06/15 8:41 p.m.11 views

markdown-it: Quadratic complexity DoS in smartquotes rule via replaceAt string operations

Summary A quadratic time complexity vulnerability exists in markdown-it's smartquotes rule enabled via the typographer: true option. An attacker can craft a markdown input consisting of consecutive quotation marks that causes the parser to consume excessive CPU time, leading to denial of service...

5.3CVSS5.4AI score0.00306EPSS
Exploits1References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/15 12:0 a.m.12 views

PT-2026-49555

Name of the Vulnerable Software and Affected Versions markdown-it affected versions not specified Description A quadratic time complexity issue exists in the smartquotes rule when the typographer: true option is enabled. An attacker can provide markdown input containing a large number of...

5.3CVSS5.2AI score0.00306EPSS
Exploits1References9
OSV
OSV
added 2026/06/04 8:38 p.m.10 views

ROOT-APP-NPM-CVE-2026-2327 CVE-2026-2327 in @rootio/markdown-it - Patched by Root

Root has patched CVE-2026-2327 in the @rootio/markdown-it package for Root:npm. Multiple fixed versions available...

5.3CVSS7.1AI score0.00503EPSS
Exploits0
Circl
Circl
added 2026/05/23 11:47 p.m.8 views

CVE-2026-48988

creationtimestamp| type| source ---|---|--- 2026-05-23 23:47:27+00:00| published-proof-of-concept| https://github.com/markdown-it/markdown-it/security/advisories/GHSA-6v5v-wf23-fmfq 2026-06-17 22:39:57+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mojeymb5ll2z...

5.3CVSS5.8AI score0.00306EPSS
Exploits1References2
RedhatCVE
RedhatCVE
added 2026/03/07 7:31 p.m.5 views

CVE-2026-29082

Kestra is an event-driven orchestration platform. In versions from 1.1.10 and prior, Kestra’s execution-file preview renders user-supplied Markdown .md with markdown-it instantiated as html:true and injects the resulting HTML with Vue’s v-html without sanitisation. At time of publication, there a...

7.3CVSS5.8AI score0.00232EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/03/06 4:33 p.m.40 views

CVE-2026-29082 Kestra: Stored Cross-Site Scripting in Markdown File Preview

Kestra is an event-driven orchestration platform. In versions from 1.1.10 and prior, Kestra’s execution-file preview renders user-supplied Markdown .md with markdown-it instantiated as html:true and injects the resulting HTML with Vue’s v-html without sanitisation. At time of publication, there a...

7.3CVSS0.00232EPSS
Exploits1References2
EUVD
EUVD
added 2026/03/06 4:33 p.m.6 views

EUVD-2026-10046

Kestra is an event-driven orchestration platform. In versions from 1.1.10 and prior, Kestra’s execution-file preview renders user-supplied Markdown .md with markdown-it instantiated as html:true and injects the resulting HTML with Vue’s v-html without sanitisation. At time of publication, there a...

7.3CVSS5.8AI score0.00232EPSS
Exploits1References2
CVE
CVE
added 2026/03/06 4:33 p.m.19 views

CVE-2026-29082

Kestra, an event-driven orchestration platform, has a Stored XSS risk in versions 1.1.10 and earlier due to the execution-file preview rendering user-supplied Markdown with markdown-it (html: true) and injecting the HTML via Vue’s v-html without sanitisation. This can allow an attacker to inject ...

7.3CVSS5.8AI score0.00232EPSS
Exploits1References2Affected Software1
OSV
OSV
added 2026/03/03 8:59 p.m.3 views

GHSA-WWP2-X4RJ-J8RM NocoDB Vulnerable to Stored Cross-Site Scripting via Rich Text Cells

Summary Rich text cell content rendered via v-html without sanitization, enabling stored XSS. Details Rich text in TextArea.vue was parsed by markdown-it with html: true and injected via v-html without DOMPurify. A user with Editor role can inject arbitrary HTML that executes for all viewers...

5.3CVSS6AI score0.00179EPSS
Exploits0References4
OSV
OSV
added 2026/03/03 8:59 p.m.6 views

GHSA-RCPH-X7MJ-54MM NocoDB Vulnerable to Stored Cross-site Scripting via Comments

Summary Comments rendered via v-html without sanitization, enabling stored XSS. Details Comments in Comments.vue were parsed by markdown-it with html: true and injected via v-html without DOMPurify. A user with Commenter role can inject arbitrary HTML that executes for all viewers. Impact Stored...

5.3CVSS6AI score0.00179EPSS
Exploits0References4
Rows per page
Query Builder