VYPR
← All advisories
Moderate severityNVD Advisory· Published Apr 20, 2020· Updated Aug 4, 2024

CVE-2020-11888

CVE-2020-11888

Description

python-markdown2 through 2.3.8 allows XSS due to improper validation of HTML element names via crafted markup.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

python-markdown2 through 2.3.8 allows XSS due to improper validation of HTML element names via crafted markup.

Vulnerability

Overview python-markdown2 versions up to 2.3.8 are vulnerable to a stored cross-site scripting (XSS) attack because the library mishandles HTML element names when converting Markdown to HTML. The flaw lies in the element name validation: the code expects names to match the regex \w+, but fails to reject names that include characters like @ or - after the initial match. As a result, an attacker can inject arbitrary attributes, such as onclick, to execute malicious scripts [1][2].

Exploitation

An attacker can exploit this by submitting Markdown content that includes a crafted HTML tag, for example: <elementname@ onclick="alert(1)">. If the application renders this Markdown without proper sanitization, the malicious tag is processed and the onclick handler is injected into the generated HTML. No authentication is required if the application processes untrusted user input, making this a critical issue for services that allow user-generated content [1].

Impact

Successful exploitation leads to cross-site scripting (XSS), enabling an attacker to steal session cookies, deface websites, redirect users to malicious sites, or perform other actions in the context of the victim's browser. This can compromise the confidentiality and integrity of the application and its users [3].

Mitigation

The vulnerability is fixed in python-markdown2 versions after 2.3.8. Users should upgrade to the latest version as soon as possible. For those unable to upgrade, a workaround may be to sanitize user input before processing it with markdown2. The advisory has been published in the PySec advisory database and distributions like Fedora have issued updates [4].

References
  1. NVD - CVE-2020-11888
  2. GitHub - trentm/python-markdown2: markdown2: A fast and complete implementation of Markdown in Python
  3. advisory-database/vulns/markdown2/PYSEC-2020-65.yaml at main · pypa/advisory-database
  4. lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6XOAIRJJCZNJUALXDHSIGH5PS2H63A3J

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
markdown2PyPI
< 2.3.92.3.9

Affected products

4

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Insufficient validation of HTML element names allows characters like @ and - to bypass the \w+ regex check, enabling injection of arbitrary attributes such as onclick."

Attack vector

An attacker crafts Markdown input containing a malformed HTML element name (e.g., `elementname@` or `elementname-`) followed by an event handler attribute like `onclick`. The markdown2 processor fails to reject the element name because the regex `\w+` match succeeds on the leading alphanumeric characters, so the element and its dangerous attributes pass through to the output HTML unescaped [CWE-79]. When a victim views the rendered page, the injected script executes in their browser. No authentication or special network position is required — the attacker only needs to supply the malicious Markdown to a user or application that renders it.

Affected code

The advisory does not specify exact file paths or function names. The vulnerability resides in the HTML element-name parsing logic within the markdown2 library (lib/markdown2.py) [ref_id=1]. The regex pattern that validates element names uses `\w+` which matches alphanumeric and underscore characters but does not reject trailing invalid characters like `@` or `-`.

What the fix does

No patch is included in the bundle. The advisory [ref_id=1] does not provide a specific fix or remediation guidance. The vulnerability exists in python-markdown2 through version 2.3.8, and the project's GitHub repository is the expected source for a future fix. Based on the root cause, a proper fix would tighten the element-name validation regex to reject names containing characters like `@` or `-` that are not valid in HTML tag names, or to sanitize the entire tag name against a strict whitelist before emitting it.

Preconditions

  • configThe application must use python-markdown2 (through version 2.3.8) to render user-supplied Markdown to HTML.
  • inputThe attacker must be able to supply arbitrary Markdown input that will be processed and served to other users.

Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

12

News mentions

0

No linked articles in our index yet.