VYPR
, , etc. and inject arbitrary HTML/JavaScript, resulting in cross-site scripting. This issue has been patched in marko version 5.38.36 and @marko/runtime-tags 6.0.164.","additionalType":"https://schema.org/SoftwareApplication","sameAs":["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-41591"]},"keywords":"CVE-2026-41591, Medium, CWE-79, Marko Js Marko","mentions":[{"@type":"SoftwareApplication","name":"Marko","applicationCategory":"SecurityApplication","publisher":{"@type":"Organization","name":"Marko Js"}}],"isAccessibleForFree":true},{"@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://portal.vyprsec.ai/"},{"@type":"ListItem","position":2,"name":"CVEs","item":"https://portal.vyprsec.ai/cves"},{"@type":"ListItem","position":3,"name":"CVE-2026-41591","item":"https://portal.vyprsec.ai/cves/CVE-2026-41591"}]}]}
Medium severity6.4GHSA Advisory· Published May 8, 2026· Updated May 13, 2026

CVE-2026-41591

CVE-2026-41591

Description

Marko is a declarative, HTML-based language for building web apps. Prior to marko version 5.38.36 and prior to @marko/runtime-tags 6.0.164, when dynamic text is interpolated into a , , etc. and inject arbitrary HTML/JavaScript, resulting in cross-site scripting. This issue has been patched in marko version 5.38.36 and @marko/runtime-tags 6.0.164.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
markonpm
< 5.38.365.38.36
@marko/runtime-tagsnpm
< 6.0.1646.0.164

Affected products

3

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.