Bug 2497554 (CVE-2026-59710)

Summary: CVE-2026-59710 showdown: Showdown: Stored Cross-Site Scripting via unescaped table header ID attributes in markdown
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, akostadi, amasferr, aruklets, bdettelb, cmah, dkeler, dmayorov, doconnor, dschmidt, eaguilar, ebaron, gparvin, jkoehler, jlanda, jlledo, jolong, kshier, lphiri, pantinor, pjindal, rhaigner, simaishi, stcannon, suppawar, teagle, thason, tsedmik, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Showdown. This vulnerability, a stored cross-site scripting (XSS) issue, allows an attacker to inject malicious code into web pages. By exploiting unescaped table header ID attributes in markdown, an attacker can embed arbitrary HTML and script-executing elements. When untrusted markdown is processed, this can lead to the execution of malicious scripts in a user's web browser, potentially compromising user data or session integrity.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-07-06 22:03:05 UTC
showdown contains a stored cross-site scripting vulnerability in the parseHeaders function of src/subParsers/makehtml/tables.js that fails to properly escape table header ID attributes. Attackers can inject arbitrary HTML and script-executing SVG elements through double-quote characters in markdown table headers, achieving stored XSS when untrusted markdown is rendered with the default github flavor configuration.