@marko/translator-interop-class-tags (>=0.1.1 <=0.2.24), @marko/translator-tags (>=0.1.1 <=0.4.8) potentially affected by CVE-2026-41591 via @marko/runtime-tags (>=0.1.25 <=0.3.86)

@marko/runtime-tags NPM version =0.1.25, =0.1.1, =0.1.1, =0.4.8 Source cves: CVE-2026-41591 Source advisory: OSV:GHSA-X9FJ-57FH-C8WQ...

Marko: XSS via case-insensitive script/style closing tag bypass in runtime HTML escaping

Summary When dynamic text is interpolated into a or tag the Marko runtime failed to prevent tag breakout when the closing tag used non-lowercase casing. An attacker able to place input inside a or block could break out of the tag with , , etc. and inject arbitrary HTML/JavaScript, resulting in...

GHSA-X9FJ-57FH-C8WQ Marko: XSS via case-insensitive script/style closing tag bypass in runtime HTML escaping

Summary When dynamic text is interpolated into a or tag the Marko runtime failed to prevent tag breakout when the closing tag used non-lowercase casing. An attacker able to place input inside a or block could break out of the tag with , , etc. and inject arbitrary HTML/JavaScript, resulting in...

Cross-site Scripting (XSS)

Overview @marko/runtime-tags is an Optimized runtime for Marko templates. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the handling of interpolated values within or tags due to improper case-insensitive detection of closing tags. An attacker can execute arbitrar...