CVE-2026-48591: CWE-83 Improper Neutralization of Script in Attributes in a Web Page in pragdave earmark
Improper Neutralization of Script in Attributes in a Web Page vulnerability in pragdave earmark allows stored cross-site scripting via unescaped HTML attribute values. 'Elixir.Earmark.Transform':_make_att1/2 in lib/earmark/transform.ex splices attribute values verbatim between two literal " bytes: [" ", name, "=\"", value, "\""]. Text nodes are routed through the existing escape function which encodes " as ", but attribute values never visit that path. A markdown link whose URL or title contains a bare " closes the attribute early and lets the trailing bytes be parsed by the browser as fresh HTML attributes. For example, [click](http://example.com/?a=x" onerror="alert(1)) renders as <a href="http://example.com/?a=x" onerror="alert(1)">click</a>, executing arbitrary JavaScript in the victim's browser. The earmark library is no longer maintained and has been retired on Hex. No patched version will be released. All releases from 1.4.1 onward are affected, and users should migrate to a maintained Markdown library such as MDEx. This issue affects earmark from 1.4.1 onward.
AI Analysis
Technical Summary
The vulnerability in pragdave earmark (CVE-2026-48591) is due to improper neutralization of script in HTML attribute values within the library's transformation function. Specifically, attribute values in generated HTML are inserted verbatim between double quotes without escaping, allowing an attacker to close the attribute early and inject additional attributes containing malicious JavaScript. For example, a markdown link with a URL containing a double quote followed by an onerror attribute results in execution of arbitrary JavaScript in the victim's browser. The earmark library is retired and unmaintained, with no patch forthcoming. All releases from 1.4.1 onward are affected.
Potential Impact
Successful exploitation allows stored cross-site scripting, enabling execution of arbitrary JavaScript in users' browsers when they view maliciously crafted markdown content rendered by earmark. This can lead to session hijacking, defacement, or other client-side attacks. The vulnerability affects the integrity and confidentiality of users interacting with content processed by earmark 1.4.1.
Mitigation Recommendations
No official fix or patch is available as the earmark library is no longer maintained and has been retired. Users should migrate to a maintained Markdown library such as MDEx to avoid this vulnerability. Until migration, avoid processing untrusted markdown content with earmark 1.4.1 or earlier.
CVE-2026-48591: CWE-83 Improper Neutralization of Script in Attributes in a Web Page in pragdave earmark
Description
Improper Neutralization of Script in Attributes in a Web Page vulnerability in pragdave earmark allows stored cross-site scripting via unescaped HTML attribute values. 'Elixir.Earmark.Transform':_make_att1/2 in lib/earmark/transform.ex splices attribute values verbatim between two literal " bytes: [" ", name, "=\"", value, "\""]. Text nodes are routed through the existing escape function which encodes " as ", but attribute values never visit that path. A markdown link whose URL or title contains a bare " closes the attribute early and lets the trailing bytes be parsed by the browser as fresh HTML attributes. For example, [click](http://example.com/?a=x" onerror="alert(1)) renders as <a href="http://example.com/?a=x" onerror="alert(1)">click</a>, executing arbitrary JavaScript in the victim's browser. The earmark library is no longer maintained and has been retired on Hex. No patched version will be released. All releases from 1.4.1 onward are affected, and users should migrate to a maintained Markdown library such as MDEx. This issue affects earmark from 1.4.1 onward.
CVSS v4.0
Score 4.8medium
Affected software
cpe:2.3:a:pragdave:earmark:*:*:*:*:*:*:*:*Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in pragdave earmark (CVE-2026-48591) is due to improper neutralization of script in HTML attribute values within the library's transformation function. Specifically, attribute values in generated HTML are inserted verbatim between double quotes without escaping, allowing an attacker to close the attribute early and inject additional attributes containing malicious JavaScript. For example, a markdown link with a URL containing a double quote followed by an onerror attribute results in execution of arbitrary JavaScript in the victim's browser. The earmark library is retired and unmaintained, with no patch forthcoming. All releases from 1.4.1 onward are affected.
Potential Impact
Successful exploitation allows stored cross-site scripting, enabling execution of arbitrary JavaScript in users' browsers when they view maliciously crafted markdown content rendered by earmark. This can lead to session hijacking, defacement, or other client-side attacks. The vulnerability affects the integrity and confidentiality of users interacting with content processed by earmark 1.4.1.
Mitigation Recommendations
No official fix or patch is available as the earmark library is no longer maintained and has been retired. Users should migrate to a maintained Markdown library such as MDEx to avoid this vulnerability. Until migration, avoid processing untrusted markdown content with earmark 1.4.1 or earlier.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- EEF
- Date Reserved
- 2026-05-22T09:36:56.834Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a32dadcf198dc38c1cefc7a
Added to database: 6/17/2026, 5:35:24 PM
Last enriched: 6/17/2026, 5:50:32 PM
Last updated: 6/17/2026, 6:50:58 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.