← All advisories

Moderate severityNVD Advisory· Published Jul 25, 2022· Updated Sep 16, 2024

Cross-site Scripting (XSS)

CVE-2020-28459

Description

This affects all versions of package markdown-it-decorate. An attacker can add an event handler or use javascript:xxx for the link.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
markdown-it-decoratenpm	<= 1.2.2	—

Affected products

2

markdown-it-decorate/markdown-it-decoratedescription
ghsa-coords
pkg:npm/markdown-it-decorate
Range: <= 1.2.2

Patches

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

github.com/advisories/GHSA-rhf5-2378-3w3wghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2020-28459ghsaADVISORY
github.com/rstacruz/markdown-it-decorate/commit/a6b33ce79e9b8cddf6184c754713e6af65253909ghsaWEB
security.snyk.io/vuln/SNYK-JS-MARKDOWNITDECORATE-1044068ghsax_refsource_MISCWEB

News mentions

0

No linked articles in our index yet.