CVE-2026-41591

MEDIUM SEVERITY

CVSS Score & Metrics

Base Score

6.4 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N                                    

Vulnerability Description

Marko is a declarative, HTML-based language for building web apps. Prior to marko version 5.38.36 and prior to @marko/runtime-tags 6.0.164, when dynamic text is interpolated into a <script> or <style> tag the Marko runtime failed to prevent tag breakout when the closing tag used non-lowercase casing. An attacker able to place input inside a <script> or <style> block could break out of the tag with </SCRIPT>, </Style>, etc. and inject arbitrary HTML/JavaScript, resulting in cross-site scripting. This issue has been patched in marko version 5.38.36 and @marko/runtime-tags 6.0.164.

Vulnerability Details

Published Date

April 22, 2026

Last Modified

May 13, 2026

CWE ID

CWE-79

Source

GitHub

Vendor

npm

Product

marko

External References

https://github.com/marko-js/marko/security/advisories/GHSA-x9fj-57fh-c8wq
https://github.com/advisories/GHSA-x9fj-57fh-c8wq

CVE-2026-41591

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment