Nixpkgs security tracker

Permalink CVE-2021-47837

7.2 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): CHANGED
Confidentiality impact (C): LOW
Integrity impact (I): LOW
Availability impact (A): NONE

created 3 months ago

Markdownify 1.2.0 - Persistent Cross-Site Scripting

Markdownify 1.2.0 contains a persistent cross-site scripting vulnerability that allows attackers to store malicious payloads within markdown files. Attackers can upload crafted markdown files with embedded scripts that execute when the file is opened, potentially enabling remote code execution.

References

ExploitDB-49835 exploit
Markdownify GitHub Repository product
Proof of Concept Video exploit
VulnCheck Advisory: Markdownify 1.2.0 - Persistent Cross-Site Scripting exploitthird-party-advisory

Affected products

Markdownify

==1.2.0

Matching in nixpkgs

pkgs.python312Packages.markdownify

HTML to Markdown converter

nixos-unstable 1.1.0
- nixpkgs-unstable 1.1.0
- nixos-unstable-small 1.1.0
nixos-25.11 1.2.0
- nixpkgs-25.11-darwin 1.2.0

pkgs.python313Packages.markdownify