Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CVE-2026-46492

Low

0/10

Summary

A cross-site scripting (XSS) vulnerability exists in the application's Markdown rendering logic. When user-supplied Markdown content is rendered, embedded raw HTML--including <script> tags--is processed and injected into the resulting page without sanitization, allowing arbitrary JavaScript execution in the context of the affected domain. Version 1.10.3 has been patched.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: LOW
Scope: CHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: LOW
Availability Impact: NONE

CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.

References

Advisory

Advisory Timeline

Published May 21, 2026

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CVE-2026-46492

Summary

CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS