Medium severity6.1NVD Advisory· Published May 31, 2018· Updated Jun 17, 2026
CVE-2016-10531
CVE-2016-10531
Description
marked is an application that is meant to parse and compile markdown. Due to the way that marked 0.3.5 and earlier parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (sanitize: true) to inject a javascript: URL. This flaw exists because &#xNNanything; gets parsed to what it could and leaves the rest behind, resulting in just anything; being left.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
markednpm | < 0.3.6 | 0.3.6 |
Affected products
2- HackerOne/marked node modulev5Range: <=0.3.5
Patches
Vulnerability mechanics
References
6- github.com/chjj/marked/pull/592/commits/2cff85979be8e7a026a9aca35542c470cf5da523nvdPatchThird Party AdvisoryWEB
- github.com/chjj/marked/pull/592nvdExploitIssue TrackingThird Party AdvisoryWEB
- github.com/advisories/GHSA-vfvf-mqq8-rwqcghsaADVISORY
- nodesecurity.io/advisories/101nvdThird Party Advisory
- nvd.nist.gov/vuln/detail/CVE-2016-10531ghsaADVISORY
- www.npmjs.com/advisories/101ghsaWEB
News mentions
0No linked articles in our index yet.