VYPR
```\". NOTE: This has been argued as a non-issue (see references) since it is not the parser's job to sanitize malicious code from a parsed document","additionalType":"https://schema.org/SoftwareApplication","sameAs":["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000874"]},"keywords":"CVE-2018-1000874, Medium, Cebe Markdown, Cebe Markdown","mentions":[{"@type":"SoftwareApplication","name":"Markdown","applicationCategory":"SecurityApplication","publisher":{"@type":"Organization","name":"Cebe"}},{"@type":"SoftwareApplication","name":"Markdown","applicationCategory":"SecurityApplication","publisher":{"@type":"Organization","name":"Cebe"}}],"isAccessibleForFree":true},{"@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://portal.vyprsec.ai/"},{"@type":"ListItem","position":2,"name":"CVEs","item":"https://portal.vyprsec.ai/cves"},{"@type":"ListItem","position":3,"name":"CVE-2018-1000874","item":"https://portal.vyprsec.ai/cves/CVE-2018-1000874"}]}]}
Medium severity6.1OSV Advisory· Published Dec 20, 2018· Updated Jun 17, 2026

CVE-2018-1000874

CVE-2018-1000874

Description

PHP cebe markdown parser version 1.2.0 and earlier contains a Cross Site Scripting (XSS) vulnerability in all distributed parsers allowing a malicious crafted script to be executed that can result in the lose of user data and sensitive user information. This attack can be exploited by crafting a three backtick wrapped payload with a character in front: L: "``````". NOTE: This has been argued as a non-issue (see references) since it is not the parser's job to sanitize malicious code from a parsed document

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Cebe/MarkdownOSV2 versions
    0.9.0, 0.9.1, 0.9.2, …+ 1 more
    • (no CPE)range: 0.9.0, 0.9.1, 0.9.2, …
    • (no CPE)range: <=1.2.0

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.