CVE-2026-59711

Severity CVSS v4.0:
MEDIUM
Type:
CWE-79 Cross-Site Scripting (XSS)
Publication date:
06/07/2026
Last modified:
07/07/2026

Description

showdown contains a cross-site scripting vulnerability in metadata title handling that allows attackers to inject arbitrary HTML and JavaScript. When completeHTMLDocument option is enabled, unescaped less-than and greater-than characters in markdown frontmatter metadata are inserted directly into HTML title tags, enabling attackers to break out of the title context and execute malicious scripts in the rendered page.