CVE-2018-5773
Description
Markdown2's safe_mode fails to escape crafted input, enabling XSS via incomplete HTML tags.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Markdown2's safe_mode fails to escape crafted input, enabling XSS via incomplete HTML tags.
Vulnerability
An XSS vulnerability exists in the safe_mode feature of python-markdown2 (also known as markdown2) through version 2.3.5. The safe_mode sanitizer does not properly escape user input, allowing an attacker to inject arbitrary JavaScript. The issue can be triggered by omitting the final > character from an HTML tag, such as an IMG tag, which causes the sanitizer to not recognize the malicious input and leaves it unescaped in the output [1][2].
Exploitation
An attacker with the ability to supply arbitrary Markdown content to an application using markdown2 in safe_mode can send a crafted payload. For example, a payload like `) bypasses the sanitization and produces an HTML image tag with an onerror` event handler. No authentication or special privileges are required beyond the ability to submit content that will be processed by the vulnerable function [2].
Impact
Successful exploitation leads to stored or reflected cross-site scripting (XSS) in the context of the victim's browser. This allows the attacker to execute arbitrary JavaScript, potentially stealing session cookies, exfiltrating sensitive data, or performing actions on behalf of the victim within the affected application [2].
Mitigation
The vulnerability is fixed in python-markdown2 version 2.3.6 and later. Users should upgrade to the latest version. The fix addresses incomplete tag handling in safe_mode. No other workarounds are documented in the available references [1][3].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
markdown2PyPI | < 2.3.6 | 2.3.6 |
Affected products
2- ghsa-coords2 versions
< 2.3.6+ 1 more
- (no CPE)range: < 2.3.6
- (no CPE)range: < 2.4.0-2.4
Patches
11b1dcdd727c0Merge pull request #303 from thombashi/fix_cve-2018-5773
5 files changed · +17 −2
lib/markdown2.py+9 −1 modified@@ -1203,7 +1203,7 @@ def _is_auto_link(s): self.html_spans[key] = sanitized tokens.append(key) else: - tokens.append(token) + tokens.append(self._encode_incomplete_tags(token)) is_html_markup = not is_html_markup return ''.join(tokens) @@ -2140,6 +2140,14 @@ def _encode_amps_and_angles(self, text): text = self._naked_gt_re.sub('>', text) return text + _incomplete_tags_re = re.compile("<(/?\w+\s+)") + + def _encode_incomplete_tags(self, text): + if self.safe_mode not in ("replace", "escape"): + return text + + return self._incomplete_tags_re.sub("<\\1", text) + def _encode_backslash_escapes(self, text): for ch, escape in list(self._escape_table.items()): text = text.replace("\\"+ch, escape)
test/tm-cases/basic_safe_mode.html+1 −1 modified@@ -28,7 +28,7 @@ <p><img src="http://example.com>[HTML_REMOVED]alert(1)[HTML_REMOVED]" alt="img3" /></p> -<p><img src="javascript:alert(1)"</p> +<p><img src="javascript:alert(1)"</p> <p><img src="http://example.com/image.gif?h=200&w=500" alt="ok img" /></p>
test/tm-cases/CVE-2018-5773.html+3 −0 added@@ -0,0 +1,3 @@ +<p><img src="" onerror=alert(/XSS/) </p> + +<p></img src="" onerror=alert(/XSS/) </p>
test/tm-cases/CVE-2018-5773.opts+1 −0 added@@ -0,0 +1 @@ +{"safe_mode": "replace"}
test/tm-cases/CVE-2018-5773.text+3 −0 added@@ -0,0 +1,3 @@ +<img src="" onerror=alert(/XSS/) + +</img src="" onerror=alert(/XSS/)
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-p6h9-gw49-rqm4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-5773ghsaADVISORY
- github.com/google/osv/issues/430ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/markdown2/PYSEC-2018-13.yamlghsaWEB
- github.com/trentm/python-markdown2/blob/master/CHANGES.mdghsaWEB
- github.com/trentm/python-markdown2/commit/1b1dcdd727c0ef03453b9f5ef5ae3679f1d72323ghsaWEB
- github.com/trentm/python-markdown2/issues/285ghsax_refsource_MISCWEB
- github.com/trentm/python-markdown2/pull/303ghsaWEB
News mentions
0No linked articles in our index yet.