CVE-2024-56510 MEDIUM

CVE-2024-56510: Marp Core allows XSS by improper neutralization of HTML sanitization

Vendor Marp-Team
Product marp-core
Weakness CWE-79 · XSS
Published December 26, 2024
Last update December 27, 2024
View on NVD All CVEs

CVSS base score

5.3/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

@marp-team/marp-core is the core for Marp, which is the ecosystem to write your presentation with plain Markdown. Marp Core from v3.0.2 to v3.9.0 and v4.0.0, are vulnerable to cross-site scripting (XSS) due to improper neutralization of HTML sanitization. Marp Core v3.9.1 and v4.0.1 have been patched to fix that. If you are unable to update the package immediately, disable all HTML tags by setting html: false option in the Marp class constructor.

Key dates

02Disclosure timeline

December 26, 2024 CVE published
December 27, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-23891 WordPress Yet Another Countdown Plugin plugin <= 1.0.1 - Cross Site Scripting (XSS) vulnerability CVE-2024-1421 HT Mega – Absolute Addons For Elementor <= 2.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Carousel Widget CVE-2025-62528 Taguette cross-site scripting vulnerability via tag name, tag description, document name and document description CVE-2025-69084 WordPress Photo Gallery plugin <= 2.7.7.26 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2024-10757 PHPGurukul Online Shopping Portal js_data.php cross site scripting