CVE-2021-39199 CRITICAL

CVE-2021-39199: Cross site scripting via unsafe defaults in remark-html

Vendor Remarkjs
Product remark-html
Weakness CWE-79 · XSS
Published September 7, 2021
Last update August 4, 2024
View on NVD All CVEs

CVSS base score

10.0/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

remark-html is an open source nodejs library which compiles Markdown to HTML. In affected versions the documentation of remark-html has mentioned that it was safe by default. In practice the default was never safe and had to be opted into. That is, user input was not sanitized. This means arbitrary HTML can be passed through leading to potential XSS attacks. The problem has been patched in 13.0.2 and 14.0.1: `remark-html` is now safe by default, and the implementation matches the documentation. On older affected versions, pass `sanitize: true` if you cannot update.

Key dates

02Disclosure timeline

September 7, 2021 CVE published
August 4, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2022-40676 CVE-2024-22306 WordPress Mang Board WP Plugin <= 1.7.7 is vulnerable to Cross Site Scripting (XSS) CVE-2025-47676 WordPress User Login History plugin <= 2.1.6 - Cross Site Scripting (XSS) Vulnerability CVE-2025-22313 WordPress Widgetize Pages Light plugin <= 3.0 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2025-9277 SiteSEO – SEO Simplified <= 1.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Broken Regex Expression