CVE Catalog

CVE-2026-48591

MediumCVSS 4.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.13%

3th percentile — higher than 3% of all known CVEs

Summary

A vulnerability in the pragdave earmark library allows stored cross-site scripting via improper neutralization of HTML attribute values. Attribute values are not properly encoded, enabling XSS attacks.

Risk Assessment

Organizations may be exposed to cross-site scripting attacks, potentially leading to user data theft or session hijacking. Exploiting this vulnerability can compromise the security of web applications.

Recommendation

It is recommended to migrate to another maintained Markdown library, such as MDEx, to mitigate the risks associated with this vulnerability. Additionally, an audit of the application should be conducted to identify potential XSS attack vectors.

Original NVD description (English source)

Improper Neutralization of Script in Attributes in a Web Page vulnerability in pragdave earmark allows stored cross-site scripting via unescaped HTML attribute values. 'Elixir.Earmark.Transform':_make_att1/2 in lib/earmark/transform.ex splices attribute values verbatim between two literal " bytes: [" ", name, "=\"", value, "\""]. Text nodes are routed through the existing escape function which encodes " as &quot;, but attribute values never visit that path. A markdown link whose URL or title contains a bare " closes the attribute early and lets the trailing bytes be parsed by the browser as fresh HTML attributes. For example, [click](http://example.com/?a=x" onerror="alert(1)) renders as <a href="http://example.com/?a=x" onerror="alert(1)">click</a>, executing arbitrary JavaScript in the victim's browser. The earmark library is no longer maintained and has been retired on Hex. No patched version will be released. All releases from 1.4.1 onward are affected, and users should migrate to a maintained Markdown library such as MDEx. This issue affects earmark from 1.4.1 onward.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS