{"url":"http://public2.vulnerablecode.io/api/packages/517868?format=json","purl":"pkg:deb/debian/node-marked@0.3.2%2Bdfsg-1","type":"deb","namespace":"debian","name":"node-marked","version":"0.3.2+dfsg-1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"0.5.1+dfsg-1","latest_non_vulnerable_version":"4.2.3+ds+~4.0.7-2","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/30506?format=json","vulnerability_id":"VCID-3nt4-689k-qkan","summary":"Regular Expression Denial of Service\nMarked 0.3.3 and earlier is vulnerable to regular expression denial of service (ReDoS) when certain types of input are passed in to be parsed.\n\n\"The Regular expression Denial of Service (ReDoS) is a Denial of Service attack, that exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size). An attacker can then cause a program using a Regular Expression to enter these extreme situations and then hang for a very long time.\" [1]\n\nMarked's catastrophic backtracking issue for the `em` inline rule has now been patched in 0.3.4.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2015-8854","reference_id":"","reference_type":"","scores":[{"value":"0.01098","scoring_system":"epss","scoring_elements":"0.7839","published_at":"2026-06-09T12:55:00Z"},{"value":"0.01098","scoring_system":"epss","scoring_elements":"0.7836","published_at":"2026-06-04T12:55:00Z"},{"value":"0.01098","scoring_system":"epss","scoring_elements":"0.78386","published_at":"2026-06-05T12:55:00Z"},{"value":"0.01098","scoring_system":"epss","scoring_elements":"0.78395","published_at":"2026-06-06T12:55:00Z"},{"value":"0.01098","scoring_system":"epss","scoring_elements":"0.78372","published_at":"2026-06-08T12:55:00Z"},{"value":"0.01098","scoring_system":"epss","scoring_elements":"0.78384","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2015-8854"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8854","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8854"},{"reference_url":"https://github.com/chjj/marked","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/chjj/marked"},{"reference_url":"https://github.com/chjj/marked/issues/497","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":""},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/chjj/marked/issues/497"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BO2RMVVZVV6NFTU46B5RYRK7ZCXYARZS","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BO2RMVVZVV6NFTU46B5RYRK7ZCXYARZS"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BO2RMVVZVV6NFTU46B5RYRK7ZCXYARZS/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BO2RMVVZVV6NFTU46B5RYRK7ZCXYARZS/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6BJG6RGDH7ZWVVAUFBFI5L32RSMQN2S","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6BJG6RGDH7ZWVVAUFBFI5L32RSMQN2S"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6BJG6RGDH7ZWVVAUFBFI5L32RSMQN2S/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6BJG6RGDH7ZWVVAUFBFI5L32RSMQN2S/"},{"reference_url":"https://nodesecurity.io/advisories/23","reference_id":"","reference_type":"","scores":[],"url":"https://nodesecurity.io/advisories/23"},{"reference_url":"https://support.f5.com/csp/article/K05052081?utm_source=f5support&amp;utm_medium=RSS","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://support.f5.com/csp/article/K05052081?utm_source=f5support&amp;utm_medium=RSS"},{"reference_url":"https://www.npmjs.com/advisories/23","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/advisories/23"},{"reference_url":"https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":""},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS"},{"reference_url":"http://www.openwall.com/lists/oss-security/2016/04/20/11","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2016/04/20/11"},{"reference_url":"https://github.com/nodejs/security-wg/blob/main/vuln/npm/23.json","reference_id":"23","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":""}],"url":"https://github.com/nodejs/security-wg/blob/main/vuln/npm/23.json"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2015-8854","reference_id":"CVE-2015-8854","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2015-8854"},{"reference_url":"https://github.com/advisories/GHSA-hjcp-j389-59ff","reference_id":"GHSA-hjcp-j389-59ff","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hjcp-j389-59ff"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/517869?format=json","purl":"pkg:deb/debian/node-marked@0.3.6%2Bdfsg-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-b8e2-2cre-2bbt"},{"vulnerability":"VCID-edfz-a78w-13dh"},{"vulnerability":"VCID-gzan-ec95-93ex"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-marked@0.3.6%252Bdfsg-1"}],"aliases":["CVE-2015-8854","GHSA-hjcp-j389-59ff"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3nt4-689k-qkan"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39679?format=json","vulnerability_id":"VCID-5bd3-3bhj-e7hr","summary":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nmarked is an application that is meant to parse and compile markdown. Due to the way that marked parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (`sanitize: true`) to inject a `javascript:` URL. This flaw exists because `&#xNNanything;` gets parsed to what it could and leaves the rest behind, resulting in just `anything;` being left.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-10531","reference_id":"","reference_type":"","scores":[{"value":"0.00289","scoring_system":"epss","scoring_elements":"0.52693","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00289","scoring_system":"epss","scoring_elements":"0.52671","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00289","scoring_system":"epss","scoring_elements":"0.52648","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00289","scoring_system":"epss","scoring_elements":"0.52674","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00289","scoring_system":"epss","scoring_elements":"0.52627","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00289","scoring_system":"epss","scoring_elements":"0.52686","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-10531"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10531","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10531"},{"reference_url":"https://github.com/advisories/GHSA-vfvf-mqq8-rwqc","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vfvf-mqq8-rwqc"},{"reference_url":"https://github.com/chjj/marked/pull/592","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/chjj/marked/pull/592"},{"reference_url":"https://github.com/chjj/marked/pull/592/commits/2cff85979be8e7a026a9aca35542c470cf5da523","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/chjj/marked/pull/592/commits/2cff85979be8e7a026a9aca35542c470cf5da523"},{"reference_url":"https://nodesecurity.io/advisories/101","reference_id":"","reference_type":"","scores":[],"url":"https://nodesecurity.io/advisories/101"},{"reference_url":"https://www.npmjs.com/advisories/101","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/advisories/101"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-10531","reference_id":"CVE-2016-10531","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-10531"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/517869?format=json","purl":"pkg:deb/debian/node-marked@0.3.6%2Bdfsg-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-b8e2-2cre-2bbt"},{"vulnerability":"VCID-edfz-a78w-13dh"},{"vulnerability":"VCID-gzan-ec95-93ex"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-marked@0.3.6%252Bdfsg-1"}],"aliases":["CVE-2016-10531","GHSA-vfvf-mqq8-rwqc"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5bd3-3bhj-e7hr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57342?format=json","vulnerability_id":"VCID-b8e2-2cre-2bbt","summary":"Marked allows Regular Expression Denial of Service (ReDoS) attacks\nMarked prior to version 0.3.17 is vulnerable to a Regular Expression Denial of Service (ReDoS) attack due to catastrophic backtracking in several regular expressions used for parsing HTML tags and markdown links. An attacker can exploit this vulnerability by providing specially crafted markdown input, such as deeply nested or repetitively structured brackets or tag attributes, which cause the parser to hang and lead to a Denial of Service.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-25110","reference_id":"","reference_type":"","scores":[{"value":"0.00774","scoring_system":"epss","scoring_elements":"0.73959","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00774","scoring_system":"epss","scoring_elements":"0.73965","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00774","scoring_system":"epss","scoring_elements":"0.73982","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00774","scoring_system":"epss","scoring_elements":"0.73996","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00774","scoring_system":"epss","scoring_elements":"0.73992","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-25110"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-25110","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-25110"},{"reference_url":"https://github.com/markedjs/marked","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/markedjs/marked"},{"reference_url":"https://github.com/markedjs/marked/commit/20bfc106013ed45713a21672ad4a34df94dcd485","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-23T15:09:00Z/"}],"url":"https://github.com/markedjs/marked/commit/20bfc106013ed45713a21672ad4a34df94dcd485"},{"reference_url":"https://github.com/markedjs/marked/issues/1070","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-23T15:09:00Z/"}],"url":"https://github.com/markedjs/marked/issues/1070"},{"reference_url":"https://github.com/markedjs/marked/pull/1083","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-23T15:09:00Z/"}],"url":"https://github.com/markedjs/marked/pull/1083"},{"reference_url":"https://github.com/Checkmarx/Vulnerabilities-Proofs-of-Concept/tree/main/2018/CVE-2018-25110","reference_id":"CVE-2018-25110","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-23T15:09:00Z/"}],"url":"https://github.com/Checkmarx/Vulnerabilities-Proofs-of-Concept/tree/main/2018/CVE-2018-25110"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-25110","reference_id":"CVE-2018-25110","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-25110"},{"reference_url":"https://github.com/advisories/GHSA-p9wx-2529-fp83","reference_id":"GHSA-p9wx-2529-fp83","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-p9wx-2529-fp83"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/558457?format=json","purl":"pkg:deb/debian/node-marked@0.5.1%2Bdfsg-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-marked@0.5.1%252Bdfsg-1"}],"aliases":["CVE-2018-25110","GHSA-p9wx-2529-fp83"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-b8e2-2cre-2bbt"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39242?format=json","vulnerability_id":"VCID-edfz-a78w-13dh","summary":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nmarked is vulnerable to an XSS attack in the data: URI parser.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-1000427","reference_id":"","reference_type":"","scores":[{"value":"0.00388","scoring_system":"epss","scoring_elements":"0.60242","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00388","scoring_system":"epss","scoring_elements":"0.60243","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00388","scoring_system":"epss","scoring_elements":"0.60225","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00388","scoring_system":"epss","scoring_elements":"0.60254","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00388","scoring_system":"epss","scoring_elements":"0.60205","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00388","scoring_system":"epss","scoring_elements":"0.60252","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-1000427"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000427","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000427"},{"reference_url":"https://github.com/advisories/GHSA-7px7-7xjx-hxm8","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7px7-7xjx-hxm8"},{"reference_url":"https://github.com/markedjs/marked","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/markedjs/marked"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BO2RMVVZVV6NFTU46B5RYRK7ZCXYARZS","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BO2RMVVZVV6NFTU46B5RYRK7ZCXYARZS"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BO2RMVVZVV6NFTU46B5RYRK7ZCXYARZS/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BO2RMVVZVV6NFTU46B5RYRK7ZCXYARZS/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6BJG6RGDH7ZWVVAUFBFI5L32RSMQN2S","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6BJG6RGDH7ZWVVAUFBFI5L32RSMQN2S"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6BJG6RGDH7ZWVVAUFBFI5L32RSMQN2S/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6BJG6RGDH7ZWVVAUFBFI5L32RSMQN2S/"},{"reference_url":"https://snyk.io/vuln/npm:marked:20170112","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/npm:marked:20170112"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=886451","reference_id":"886451","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=886451"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-1000427","reference_id":"CVE-2017-1000427","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-1000427"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/558457?format=json","purl":"pkg:deb/debian/node-marked@0.5.1%2Bdfsg-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-marked@0.5.1%252Bdfsg-1"}],"aliases":["CVE-2017-1000427","GHSA-7px7-7xjx-hxm8"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-edfz-a78w-13dh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39794?format=json","vulnerability_id":"VCID-gzan-ec95-93ex","summary":"Uncontrolled Resource Consumption\nThe marked module is vulnerable to a regular expression denial of service. Based on the information published in the public issue, 1k characters can block for around 6 seconds.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-16114","reference_id":"","reference_type":"","scores":[{"value":"0.00403","scoring_system":"epss","scoring_elements":"0.6123","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00403","scoring_system":"epss","scoring_elements":"0.61218","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00403","scoring_system":"epss","scoring_elements":"0.61198","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00403","scoring_system":"epss","scoring_elements":"0.61216","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00403","scoring_system":"epss","scoring_elements":"0.61174","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00403","scoring_system":"epss","scoring_elements":"0.61222","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-16114"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16114","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16114"},{"reference_url":"https://github.com/advisories/GHSA-x5pg-88wf-qq4p","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-x5pg-88wf-qq4p"},{"reference_url":"https://github.com/chjj/marked/issues/937","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/chjj/marked/issues/937"},{"reference_url":"https://nodesecurity.io/advisories/531","reference_id":"","reference_type":"","scores":[],"url":"https://nodesecurity.io/advisories/531"},{"reference_url":"https://www.npmjs.com/advisories/531","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/advisories/531"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-16114","reference_id":"CVE-2017-16114","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-16114"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/558457?format=json","purl":"pkg:deb/debian/node-marked@0.5.1%2Bdfsg-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-marked@0.5.1%252Bdfsg-1"}],"aliases":["CVE-2017-16114","GHSA-x5pg-88wf-qq4p"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gzan-ec95-93ex"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/30513?format=json","vulnerability_id":"VCID-y6xb-gmwg-7qbc","summary":"VBScript Content Injection\nMarked 0.3.2 and earlier is vulnerable to content injection even when `sanitize: true` is enabled.\n\n`[xss link](vbscript:alert(1&#41;)`\n\nwill get a link\n\n`<a href=\"vbscript:alert(1)\">xss link</a>`\n\nthis script does not work in IE 11 edge mode, but works in IE 10 compatibility view.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2015-1370","reference_id":"","reference_type":"","scores":[{"value":"0.00349","scoring_system":"epss","scoring_elements":"0.57682","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00349","scoring_system":"epss","scoring_elements":"0.57736","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00349","scoring_system":"epss","scoring_elements":"0.57719","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00349","scoring_system":"epss","scoring_elements":"0.57732","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00349","scoring_system":"epss","scoring_elements":"0.57742","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00349","scoring_system":"epss","scoring_elements":"0.57733","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2015-1370"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1370","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1370"},{"reference_url":"https://github.com/chjj/marked/issues/492","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/chjj/marked/issues/492"},{"reference_url":"https://github.com/evilpacket/marked/commit/3c191144939107c45a7fa11ab6cb88be6694a1ba","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/evilpacket/marked/commit/3c191144939107c45a7fa11ab6cb88be6694a1ba"},{"reference_url":"https://github.com/markedjs/marked","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/markedjs/marked"},{"reference_url":"https://github.com/markedjs/marked/commit/fc372d1c6293267722e33f2719d57cebd67b3da1","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/markedjs/marked/commit/fc372d1c6293267722e33f2719d57cebd67b3da1"},{"reference_url":"https://github.com/markedjs/marked/issues/492","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/markedjs/marked/issues/492"},{"reference_url":"https://www.npmjs.com/advisories/24","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/advisories/24"},{"reference_url":"https://www.npmjs.com/advisories/24/versions","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/advisories/24/versions"},{"reference_url":"http://www.openwall.com/lists/oss-security/2015/01/23/2","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2015/01/23/2"},{"reference_url":"https://github.com/nodejs/security-wg/blob/main/vuln/npm/24.json","reference_id":"24","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":""}],"url":"https://github.com/nodejs/security-wg/blob/main/vuln/npm/24.json"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2015-1370","reference_id":"CVE-2015-1370","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2015-1370"},{"reference_url":"https://github.com/advisories/GHSA-cfjh-p3g4-3q2f","reference_id":"GHSA-cfjh-p3g4-3q2f","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cfjh-p3g4-3q2f"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/517869?format=json","purl":"pkg:deb/debian/node-marked@0.3.6%2Bdfsg-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-b8e2-2cre-2bbt"},{"vulnerability":"VCID-edfz-a78w-13dh"},{"vulnerability":"VCID-gzan-ec95-93ex"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-marked@0.3.6%252Bdfsg-1"}],"aliases":["CVE-2015-1370","GHSA-cfjh-p3g4-3q2f"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-y6xb-gmwg-7qbc"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/30516?format=json","vulnerability_id":"VCID-3hp9-cv2c-r7gc","summary":"Multiple Content Injection Vulnerabilities\nMarked comes with an option to sanitize user output to help protect against content injection attacks.\n\n```sanitize: true```\n\nEven if this option is set, marked is vulnerable to content injection in multiple locations if untrusted user input is allowed to be provided into marked and that output is passed to the browser.\n\nInjection is possible in two locations\n\n- gfm codeblocks (language)\n- javascript url's","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2014-3743","reference_id":"","reference_type":"","scores":[{"value":"0.00416","scoring_system":"epss","scoring_elements":"0.62105","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00416","scoring_system":"epss","scoring_elements":"0.62103","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00416","scoring_system":"epss","scoring_elements":"0.62086","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00416","scoring_system":"epss","scoring_elements":"0.62101","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00416","scoring_system":"epss","scoring_elements":"0.62112","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00416","scoring_system":"epss","scoring_elements":"0.62056","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2014-3743"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3743","reference_id":"","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3743"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3743","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3743"},{"reference_url":"https://nodesecurity.io/advisories/marked_multiple_content_injection_vulnerabilities","reference_id":"","reference_type":"","scores":[],"url":"https://nodesecurity.io/advisories/marked_multiple_content_injection_vulnerabilities"},{"reference_url":"https://www.npmjs.com/advisories/22","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/advisories/22"},{"reference_url":"http://www.openwall.com/lists/oss-security/2014/05/13/1","reference_id":"","reference_type":"","scores":[],"url":"http://www.openwall.com/lists/oss-security/2014/05/13/1"},{"reference_url":"http://www.openwall.com/lists/oss-security/2014/05/15/2","reference_id":"","reference_type":"","scores":[],"url":"http://www.openwall.com/lists/oss-security/2014/05/15/2"},{"reference_url":"https://github.com/nodejs/security-wg/blob/main/vuln/npm/22.json","reference_id":"22","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":""}],"url":"https://github.com/nodejs/security-wg/blob/main/vuln/npm/22.json"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2014-1850","reference_id":"CVE-2014-1850","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2014-1850"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2014-3743","reference_id":"CVE-2014-3743","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2014-3743"},{"reference_url":"https://github.com/advisories/GHSA-9cw2-jqp5-7x39","reference_id":"GHSA-9cw2-jqp5-7x39","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9cw2-jqp5-7x39"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/517868?format=json","purl":"pkg:deb/debian/node-marked@0.3.2%2Bdfsg-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3nt4-689k-qkan"},{"vulnerability":"VCID-5bd3-3bhj-e7hr"},{"vulnerability":"VCID-b8e2-2cre-2bbt"},{"vulnerability":"VCID-edfz-a78w-13dh"},{"vulnerability":"VCID-gzan-ec95-93ex"},{"vulnerability":"VCID-y6xb-gmwg-7qbc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-marked@0.3.2%252Bdfsg-1"}],"aliases":["CVE-2014-3743","GHSA-9cw2-jqp5-7x39"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3hp9-cv2c-r7gc"}],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-marked@0.3.2%252Bdfsg-1"}