CVE-2025-51691

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

C

ross-Site Scripting (XSS) vulnerability found in MarkTwo commit e3a1d3f90cce4ea9c26efcbbf3a1cbfb9dcdb298 (May 2025) allows a remote attacker to execute arbitrary code via a crafted script input to the editor interface. The application does not properly sanitize user-supplied Markdown before rendering it. Successful exploitation could lead to session hijacking, credential theft, or arbitrary client-side code execution in the context of the victim's browser.

References

Link	Resource
https://github.com/0x72303074/CVE-Disclosures/tree/main/MarkTwo%20Markdown%20Editor/CVE-2025-51691
https://github.com/anthonygarvan/marktwo
https://marktwo.app/try-it-now

Configurations

No configuration.

History

13 Aug 2025, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-13 15:15

Updated : 2025-08-13 20:15

NVD link : CVE-2025-51691

Mitre link : CVE-2025-51691

CVE.ORG link : CVE-2025-51691

JSON object : View

Products Affected

No product.

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2025-51691", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2025-08-13T15:15:35.027", "references": [{"url": "https://github.com/0x72303074/CVE-Disclosures/tree/main/MarkTwo%20Markdown%20Editor/CVE-2025-51691", "source": "[email protected]"}, {"url": "https://github.com/anthonygarvan/marktwo", "source": "[email protected]"}, {"url": "https://marktwo.app/try-it-now", "source": "[email protected]"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Cross-Site Scripting (XSS) vulnerability found in MarkTwo commit e3a1d3f90cce4ea9c26efcbbf3a1cbfb9dcdb298 (May 2025) allows a remote attacker to execute arbitrary code via a crafted script input to the editor interface. The application does not properly sanitize user-supplied Markdown before rendering it. Successful exploitation could lead to session hijacking, credential theft, or arbitrary client-side code execution in the context of the victim's browser."}, {"lang": "es", "value": "La vulnerabilidad de Cross-Site Scripting (XSS) detectada en el commit e3a1d3f90cce4ea9c26efcbbf3a1cbfb9dcdb298 de MarkTwo (mayo de 2025) permite a un atacante remoto ejecutar c\u00f3digo arbitrario mediante una entrada de script manipulado en la interfaz del editor. La aplicaci\u00f3n no depura correctamente el Markdown proporcionado por el usuario antes de renderizarlo. Una explotaci\u00f3n exitosa podr\u00eda provocar el secuestro de sesi\u00f3n, el robo de credenciales o la ejecuci\u00f3n de c\u00f3digo arbitrario del lado del cliente en el contexto del navegador de la v\u00edctima."}], "lastModified": "2025-08-13T20:15:30.700", "sourceIdentifier": "[email protected]"}