Moderate severityNVD Advisory· Published Jan 27, 2015· Updated May 6, 2026
CVE-2015-1370
CVE-2015-1370
Description
Incomplete blacklist vulnerability in marked 0.3.2 and earlier for Node.js allows remote attackers to conduct cross-site scripting (XSS) attacks via a vbscript tag in a link.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
markednpm | < 0.3.3 | 0.3.3 |
Affected products
1Patches
23c1911449391fc372d1c6293Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- github.com/chjj/marked/issues/492nvdExploitWEB
- nodesecurity.io/advisories/marked_vbscript_injectionnvdExploit
- github.com/advisories/GHSA-cfjh-p3g4-3q2fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2015-1370ghsaADVISORY
- www.openwall.com/lists/oss-security/2015/01/23/2nvdWEB
- github.com/evilpacket/marked/commit/3c191144939107c45a7fa11ab6cb88be6694a1banvdWEB
- github.com/markedjs/marked/commit/fc372d1c6293267722e33f2719d57cebd67b3da1ghsaWEB
- github.com/markedjs/marked/issues/492ghsaWEB
- www.npmjs.com/advisories/24ghsaWEB
- www.npmjs.com/advisories/24/versionsghsaWEB
News mentions
0No linked articles in our index yet.