33 matches found
CVE-2026-41591
Marko is a declarative, HTML-based language for building web apps. Prior to marko version 5.38.36 and prior to @marko/runtime-tags 6.0.164, when dynamic text is interpolated into a or tag the Marko runtime failed to prevent tag breakout when the closing tag used non-lowercase casing. An attacker...
CVE-2026-41591
Marko is a declarative, HTML-based language for building web apps. Prior to marko version 5.38.36 and prior to @marko/runtime-tags 6.0.164, when dynamic text is interpolated into a ,...
CVE-2026-41591 Marko: XSS via case-insensitive script/style closing tag bypass in runtime HTML escaping
Marko is a declarative, HTML-based language for building web apps. Prior to marko version 5.38.36 and prior to @marko/runtime-tags 6.0.164, when dynamic text is interpolated into a or tag the Marko runtime failed to prevent tag breakout when the closing tag used non-lowercase casing. An attacker...
CVE-2026-41591 Marko: XSS via case-insensitive script/style closing tag bypass in runtime HTML escaping
Marko is a declarative, HTML-based language for building web apps. Prior to marko version 5.38.36 and prior to @marko/runtime-tags 6.0.164, when dynamic text is interpolated into a or tag the Marko runtime failed to prevent tag breakout when the closing tag used non-lowercase casing. An attacker...
CVE-2026-41591
The CVE affects Marko and @marko/runtime-tags, where dynamic text inside , ), enabling cross-site scripting (XSS) if untrusted input is interpolated inside these blocks. Affected versions are Marko <= 5.38.35 and @marko/runtime-tags <= 6.0.163; the issue is patched in Marko 5.38.36 and @mar...
marko 跨站脚本漏洞
Marko is an open-source declarative HTML language used for building dynamic user interfaces. Versions of Marko prior to 5.38.36 contained a cross-site scripting vulnerability. This vulnerability occurred when dynamic text was inserted into script or style tags without preventing the escape of...
@marko/translator-interop-class-tags (>=0.1.1 <=0.2.24), @marko/translator-tags (>=0.1.1 <=0.4.8) potentially affected by CVE-2026-41591 via @marko/runtime-tags (>=0.1.25 <=0.3.86)
@marko/runtime-tags NPM version =0.1.25, =0.1.1, =0.1.1, =0.4.8 Source cves: CVE-2026-41591 Source advisory: OSV:GHSA-X9FJ-57FH-C8WQ...
Marko: XSS via case-insensitive script/style closing tag bypass in runtime HTML escaping
Summary When dynamic text is interpolated into a or tag the Marko runtime failed to prevent tag breakout when the closing tag used non-lowercase casing. An attacker able to place input inside a or block could break out of the tag with , , etc. and inject arbitrary HTML/JavaScript, resulting in...
@27works/posto (=2.0.2), @awly/lasso (=3.2.4) +180 more potentially affected by CVE-2026-41591 via marko (>=1.6.11 <=5.20.9)
marko NPM version =1.6.11, =1.15.0, =1.0.0, =1.0.0, =1.0.0, =0.4.15, =1.26.0, =0.4.16, =0.1.0, =0.2.0, =0.0.1, =1.0.0, =1.0.1, =1.1.1 and more Source cves: CVE-2026-41591 Source advisory: OSV:GHSA-X9FJ-57FH-C8WQ...
@marko/compiler (=5.0.0-next.0), @marko/translator-default (=5.0.0-next.0) +1 more potentially affected by CVE-2026-41591 via marko (>=5.0.0-next.0 <=5.20.9)
marko NPM version =5.0.0-next.0, =1.1.4, =1.2.1 Source cves: CVE-2026-41591 Source advisory: SNYK:JS-MARKO-16421453...
Cross-site Scripting (XSS)
Overview @marko/runtime-tags is an Optimized runtime for Marko templates. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the handling of interpolated values within or tags due to improper case-insensitive detection of closing tags. An attacker can execute arbitrar...
Cross-site Scripting (XSS)
Overview marko is an UI Components + streaming, async, high performance, HTML templating for Node.js and the browser. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the handling of interpolated values within or tags due to improper case-insensitive detection of...
GHSA-X9FJ-57FH-C8WQ Marko: XSS via case-insensitive script/style closing tag bypass in runtime HTML escaping
Summary When dynamic text is interpolated into a or tag the Marko runtime failed to prevent tag breakout when the closing tag used non-lowercase casing. An attacker able to place input inside a or block could break out of the tag with , , etc. and inject arbitrary HTML/JavaScript, resulting in...
CVE-2026-41591
creationtimestamp| type| source ---|---|--- 2026-04-18 00:29:59+00:00| published-proof-of-concept| https://github.com/marko-js/marko/security/advisories/GHSA-x9fj-57fh-c8wq...
CVE-2025-62146
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Maksym Marko MX Time Zone Clocks mx-time-zone-clocks allows Stored XSS.This issue affects MX Time Zone Clocks: from n/a through = 5.1.1...
EUVD-2025-205912
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Maksym Marko MX Time Zone Clocks allows Stored XSS.This issue affects MX Time Zone Clocks: from n/a through 5.1.1...
EUVD-2024-45436
Malicious code in bioql PyPI...
DOGE Denizen Marko Elez Leaked API Key for xAI
Marko Elez , a 25-year-old employee at Elon Musk's Department of Government Efficiency DOGE, has been granted access to sensitive databases at the U.S. Social Security Administration, the Treasury and Justice departments, and the Department of Homeland Security. So it should fill all Americans wi...
MAL-2025-3950 Malicious code in example-marko-webpack (npm)
--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 553d816403e5dd786bafbe39f79c521cc2e5bd1917b425aefd7d5f34c96400b6 The OpenSSF Package Analysis project identified 'example-marko-webpack' @ 100.0.2 npm as malicious. It is considered malicious because: - The...
Malicious code in example-marko-webpack (npm)
--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 553d816403e5dd786bafbe39f79c521cc2e5bd1917b425aefd7d5f34c96400b6 The OpenSSF Package Analysis project identified 'example-marko-webpack' @ 100.0.2 npm as malicious. It is considered malicious because: - The...