m
dast-util-to-hast is an mdast utility to transform to hast. From 13.0.0 to before 13.2.1, multiple (unprefixed) classnames could be added in markdown source by using character references. This could make rendered user supplied markdown code elements appear like the rest of the page. This vulnerability is fixed in 13.2.1.
References
Configurations
History
06 Feb 2026, 16:36
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:unifiedjs:mdast-util-to-hast:*:*:*:*:*:node.js:*:* | |
| First Time |
Unifiedjs mdast-util-to-hast
Unifiedjs |
06 Feb 2026, 16:17
| Type | Values Removed | Values Added |
|---|---|---|
| CWE | NVD-CWE-Other | |
| First Time |
Syntax-tree
Syntax-tree mdast-util-to-hast |
|
| References | () https://github.com/syntax-tree/mdast-util-to-hast/commit/6fc783ae6abdeb798fd5a68e7f3f21411dde7403 - Patch | |
| References | () https://github.com/syntax-tree/mdast-util-to-hast/commit/ab3a79570a1afbfa7efef5d4a0cd9b5caafbc5d7 - Patch | |
| References | () https://github.com/syntax-tree/mdast-util-to-hast/security/advisories/GHSA-4fh9-h7wg-q85m - Vendor Advisory | |
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.3 |
| CPE | cpe:2.3:a:syntax-tree:mdast-util-to-hast:*:*:*:*:*:*:*:* |
01 Dec 2025, 23:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2025-12-01 23:15
Updated : 2026-02-06 16:36
NVD link : CVE-2025-66400
Mitre link : CVE-2025-66400
CVE.ORG link : CVE-2025-66400
JSON object : View
Products Affected
CWE
CWE-20
Improper Input Validation
CWE-915Improperly Controlled Modification of Dynamically-Determined Object Attributes
NVD-CWE-Other