GHSA-5VP3-3CG6-2RQ3: GHSA-5VP3-3CG6-2RQ3: Cross-Site Scripting via Markdown Serialization Breakout in justhtml
GHSA-5VP3-3CG6-2RQ3: Cross-Site Scripting via Markdown Serialization Breakout in justhtml Vulnerability ID: GHSA-5VP3-3CG6-2RQ3 CVSS Score: 7.5 Published: 2026-03-24 The Python library justhtml versions prior to 1.13.0 suffer from a Cross-Site Scripting (XSS) vulnerability due to improper handling of HTML <pre> elements during Markdown serialization. This flaw permits attackers to break out of generated Markdown code blocks and execute arbitrary JavaScript when the output is processed by downstream Markdown renderers. TL;DR justhtml < 1.13.0 fails to dynamically size backtick fences when serializing tags to Markdown, enabling XSS through code block breakouts. ⚠️ Exploit Status: POC Technical Details CWE ID : CWE-79, CWE-74 Attack Vector : Network CVSS v3.1 Score : 7.5 (High) Impact : Arbitrary JavaScript Execution Exploit Status : Proof of Concept Available KEV Status : Not Listed Affected Component : justhtml.to_markdown() Remediation : Upgrade to >= 1.13.0 Affected Systems Python app
Continue reading on Dev.to
Opens in a new tab
