VYPR
, , etc. and inject arbitrary HTML/JavaScript, resulting in cross-site scripting. This issue has been patched in marko version 5.38.36 and @marko/runtime-tags 6.0.164.","additionalType":"https://schema.org/SoftwareApplication","sameAs":["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-41591"]},"keywords":"CVE-2026-41591, Medium, CWE-79, Marko Js Marko, Marko Js Marko","mentions":[{"@type":"SoftwareApplication","name":"Marko","applicationCategory":"SecurityApplication","publisher":{"@type":"Organization","name":"Marko Js"}},{"@type":"SoftwareApplication","name":"Marko","applicationCategory":"SecurityApplication","publisher":{"@type":"Organization","name":"Marko Js"}}],"isAccessibleForFree":true},{"@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://portal.vyprsec.ai/"},{"@type":"ListItem","position":2,"name":"CVEs","item":"https://portal.vyprsec.ai/cves"},{"@type":"ListItem","position":3,"name":"CVE-2026-41591","item":"https://portal.vyprsec.ai/cves/CVE-2026-41591"}]}]}
← All advisories
Medium severity6.4GHSA Advisory· Published May 8, 2026· Updated May 13, 2026

CVE-2026-41591

CVE-2026-41591

Description

Marko is a declarative, HTML-based language for building web apps. Prior to marko version 5.38.36 and prior to @marko/runtime-tags 6.0.164, when dynamic text is interpolated into a <script> or <style> tag the Marko runtime failed to prevent tag breakout when the closing tag used non-lowercase casing. An attacker able to place input inside a <script> or <style> block could break out of the tag with </SCRIPT>, </Style>, etc. and inject arbitrary HTML/JavaScript, resulting in cross-site scripting. This issue has been patched in marko version 5.38.36 and @marko/runtime-tags 6.0.164.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Marko template engine fails to sanitize mixed-case closing tags in <script>/<style> blocks, allowing XSS via tag breakout.

Root

Cause Marko's runtime uses case-sensitive regular expressions (e.g., /</script/g) to detect and prevent attempts to close a <script> or <style> tag when interpolating dynamic text. However, HTML tag names are case-insensitive in browsers. An attacker can bypass the sanitization by using a mixed-case closing tag such as </SCRIPT> or </Style>, which is not matched by the regex but is still interpreted by the browser as a valid closing tag [1][2].

Exploitation

To exploit this, an attacker must be able to place user-controlled input inside a <script> or <style> block within a Marko template. When the template renders the input, the Marko runtime passes it through the flawed sanitization helper. The attacker can include a string like </SCRIPT><script>alert(1)//. The output, when parsed by the browser, treats the mixed-case tag as ending the script context, then parses the subsequent <script> tag as a new script element, executing the injected code [2].

Impact

Successful exploitation leads to cross-site scripting (XSS). If the vulnerable input originates from persisted user data (e.g., username, comment), stored XSS is possible, allowing an attacker to execute arbitrary JavaScript in the context of any victim viewing the affected page [1][2].

Mitigation

The issue is patched in marko version 5.38.36 and @marko/runtime-tags version 6.0.164. Users should upgrade immediately. No workaround is available for earlier versions [1][2].

References
  1. NVD - CVE-2026-41591
  2. XSS via case-insensitive `</SCRIPT>` / `</STYLE>` bypass with unsafe text interpolation within `<script>` / `<style>` tags

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
markonpm
< 5.38.365.38.36
@marko/runtime-tagsnpm
< 6.0.1646.0.164

Affected products

2
  • Marko Js/MarkoGHSA2 versions
    < 6.0.164+ 1 more
    • (no CPE)range: < 6.0.164
    • (no CPE)range: <5.38.36

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.