Medium severity6.4GHSA Advisory· Published May 8, 2026· Updated May 13, 2026
CVE-2026-41591
CVE-2026-41591
Description
Marko is a declarative, HTML-based language for building web apps. Prior to marko version 5.38.36 and prior to @marko/runtime-tags 6.0.164, when dynamic text is interpolated into a , , etc. and inject arbitrary HTML/JavaScript, resulting in cross-site scripting. This issue has been patched in marko version 5.38.36 and @marko/runtime-tags 6.0.164.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
markonpm | < 5.38.36 | 5.38.36 |
@marko/runtime-tagsnpm | < 6.0.164 | 6.0.164 |
Affected products
3- ghsa-coords2 versions
< 6.0.164+ 1 more
- (no CPE)range: < 6.0.164
- (no CPE)range: < 5.38.36
Patches
Vulnerability mechanics
References
3News mentions
0No linked articles in our index yet.