CVE-2016-10531 - AskarLabs CVE Database

CVE-2016-10531

Vendor Hackerone

Product marked node module

Weakness CWE-79 · XSS

Published May 31, 2018

Last update September 17, 2024

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

marked is an application that is meant to parse and compile markdown. Due to the way that marked 0.3.5 and earlier parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (`sanitize: true`) to inject a `javascript:` URL. This flaw exists because `&#xNNanything;` gets parsed to what it could and leaves the rest behind, resulting in just `anything;` being left.

Key dates

02Disclosure timeline

May 31, 2018 CVE published

September 17, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2016-10531 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2026-6824 CP Plus 8 Ch. Network Video Recorder Cross-site Scripting CVE-2025-31434 WordPress FormLift for Infusionsoft Web Forms plugin <= 7.5.19 - Cross Site Scripting (XSS) Vulnerability CVE-2025-25191 Group-Office has a Stored XSS Vulnerability via user's name field CVE-2025-11821 Woocommerce – Products By Custom Tax <= 2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode CVE-2024-43714 Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)