GHSA-5VP3-3CG6-2RQ3: Cross-Site Scripting via Markdown Serialization Breakout in justhtml
Vulnerability ID: GHSA-5VP3-3CG6-2RQ3
CVSS Score: 7.5
Published: 2026-03-24
The Python library justhtml versions prior to 1.13.0 suffer from a Cross-Site Scripting (XSS) vulnerability due to improper handling of HTML
elements during Markdown serialization. This flaw permits attackers to break out of generated Markdown code blocks and execute arbitrary JavaScript when the output is processed by downstream Markdown renderers.
TL;DR
justhtml
tags to Markdown, enabling XSS through code block breakouts.
⚠️ Exploit Status: POC
Technical Details
Affected Systems
Code Analysis
Commit: f35f8f7
Fix: Calculate dynamic backtick fence length for pre tags
Exploit Details
Mitigation Strategies
Remediation Steps:
References
Read the full report for GHSA-5VP3-3CG6-2RQ3 on our website for more details including interactive diagrams and full exploit analysis.
More...
Vulnerability ID: GHSA-5VP3-3CG6-2RQ3
CVSS Score: 7.5
Published: 2026-03-24
The Python library justhtml versions prior to 1.13.0 suffer from a Cross-Site Scripting (XSS) vulnerability due to improper handling of HTML
elements during Markdown serialization. This flaw permits attackers to break out of generated Markdown code blocks and execute arbitrary JavaScript when the output is processed by downstream Markdown renderers.
TL;DR
justhtml
tags to Markdown, enabling XSS through code block breakouts.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-79, CWE-74
- Attack Vector: Network
- CVSS v3.1 Score: 7.5 (High)
- Impact: Arbitrary JavaScript Execution
- Exploit Status: Proof of Concept Available
- KEV Status: Not Listed
- Affected Component: justhtml.to_markdown()
- Remediation: Upgrade to >= 1.13.0
Affected Systems
- Python applications utilizing the justhtml library for HTML to Markdown serialization
- Content Management Systems (CMS) relying on justhtml for user content processing
- Applications passing justhtml output directly into Markdown-to-HTML engines like GFM or CommonMark
- justhtml: 1.13.0)
Code Analysis
Commit: f35f8f7
Fix: Calculate dynamic backtick fence length for pre tags
Exploit Details
- Security Research PoC: Proof of concept demonstrating the Markdown code block breakout using backticks inside a pre element.
Mitigation Strategies
- Upgrade justhtml to version 1.13.0 or higher.
- Implement secondary HTML sanitization on the output of the Markdown renderer.
- Configure the downstream Markdown parser to strictly disable raw HTML rendering.
- Deploy a robust Content Security Policy (CSP) to restrict inline JavaScript execution.
Remediation Steps:
- Identify all projects utilizing the justhtml library.
- Update the dependency requirements in requirements.txt or pyproject.toml to specify justhtml>=1.13.0.
- Execute package manager updates (e.g., pip install --upgrade justhtml).
- Verify the fix by running the provided PoC payload against the updated application.
- Review downstream Markdown rendering configurations to ensure strict compliance with security best practices.
References
Read the full report for GHSA-5VP3-3CG6-2RQ3 on our website for more details including interactive diagrams and full exploit analysis.
More...