CVE-2022-23647 HIGH

CVE-2022-23647: Cross-site Scripting in Prism

Vendor Prismjs
Product prism
Weakness CWE-79 · XSS
Published February 18, 2022
Last update April 23, 2025
View on NVD All CVEs

CVSS base score

7.5/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:L

What the vulnerability does

01Description

Prism is a syntax highlighting library. Starting with version 1.14.0 and prior to version 1.27.0, Prism's command line plugin can be used by attackers to achieve a cross-site scripting attack. The command line plugin did not properly escape its output, leading to the input text being inserted into the DOM as HTML code. Server-side usage of Prism is not impacted. Websites that do not use the Command Line plugin are also not impacted. This bug has been fixed in v1.27.0. As a workaround, do not use the command line plugin on untrusted inputs, or sanitize all code blocks (remove all HTML code text) from all code blocks that use the command line plugin.

Key dates

02Disclosure timeline

February 18, 2022 CVE published
April 23, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2023-5989 Stored XSS in Uyumsoft ERP CVE-2024-32528 WordPress WP Dynamic Keywords Injector plugin <= 2.3.18 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2023-46251 Visual editor persistent Cross-site Scripting (XSS) in MyBB CVE-2025-22294 WordPress Custom Field For WP Job Manager plugin <= 1.3 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2023-48780 WordPress WP Catalogue Plugin <= 1.7.6 is vulnerable to Cross Site Scripting (XSS)