Executive Summary

CVE-2026-48591 is a stored cross-site scripting (XSS) vulnerability in the earmark library, an Erlang-based Markdown processor.

The issue arises from improper neutralization of script in HTML attributes, allowing stored XSS via unescaped attribute values.

Specifically, the vulnerability occurs in the _make_att1/2 function where attribute values are inserted verbatim without escaping double quotes ("). This allows an attacker to craft a Markdown link with a URL or title containing a bare double quote, which prematurely closes the attribute and lets the browser parse trailing bytes as new HTML attributes, such as onerror, enabling execution of arbitrary JavaScript in the victim's browser.

The earmark library is no longer maintained, no patched version will be released, and all versions from 1.4.1 onward are affected.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows stored cross-site scripting (XSS) attacks via unescaped HTML attribute values, which can lead to the execution of arbitrary JavaScript in a victim's browser.

Such XSS vulnerabilities can compromise the confidentiality and integrity of user data, potentially leading to unauthorized access or data leakage.

Consequently, this may impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and ensuring secure processing.

Organizations using the affected earmark library should consider migrating to a maintained Markdown library to mitigate this risk and maintain compliance.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow attackers to execute arbitrary JavaScript code in the browsers of users who view the affected Markdown content.

Such execution can lead to theft of user credentials, session hijacking, defacement, or other malicious actions depending on the attacker's intent.

Because the vulnerability is stored XSS, the malicious script can persist in the system and affect multiple users over time.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves stored cross-site scripting (XSS) via unescaped HTML attribute values in the earmark Markdown processor. Detection involves identifying Markdown content processed by earmark versions 1.4.1 and later that contain URLs or titles with unescaped double quotes (").

To detect exploitation attempts or vulnerable content, you can search your system or network logs for suspicious Markdown links containing double quotes in URLs or titles that could prematurely close HTML attributes.

• Use grep or similar tools to scan Markdown files or stored content for patterns like: \" onerror=\" or other suspicious attribute injections.
• Example command to find suspicious Markdown links in files: grep -r '\" onerror=\"' /path/to/markdown/files
• Monitor web server logs for requests containing encoded payloads with double quotes and event handlers, e.g., %22 onerror=%22.

Useful 0 Not Useful 0

Mitigation Strategies

The earmark library is no longer maintained and no patched version will be released. Immediate mitigation involves migrating away from earmark to a maintained Markdown library such as MDEx.

Until migration is complete, avoid processing untrusted Markdown content with vulnerable versions of earmark (1.4.1 and later).

• Audit and sanitize all Markdown input to ensure it does not contain unescaped double quotes in URLs or titles.
• Implement Content Security Policy (CSP) headers to reduce the impact of potential XSS attacks.
• Review and restrict user input permissions to limit the ability to inject malicious Markdown.

Useful 0 Not Useful 0