GHSA-5VP3-3CG6-2RQ3: GHSA-5VP3-3CG6-2RQ3: Cross-Site Scripting via Markdown Serialization Breakout in justhtml
Published: (March 24, 2026 at 05:10 PM EDT)
2 min read
Source: Dev.to
Source: Dev.to
GHSA-5VP3-3CG6-2RQ3: Cross‑Site Scripting via Markdown Serialization Breakout in justhtml
Vulnerability ID: GHSA-5VP3-3CG6-2RQ3
CVSS Score: 7.5 (High)
Published: 2026‑03‑24
TL;DR
justhtml ` tags to Markdown, enabling XSS through code‑block breakouts.
Technical Details
- CWE IDs: CWE‑79 (Improper Neutralization of Input During Web Page Generation), CWE‑74 (Improper Neutralization of Special Elements)
- Attack Vector: Network
- Impact: Arbitrary JavaScript execution
- Exploit Status: Proof of Concept available
- KEV Status: Not listed
- Affected Component:
justhtml.to_markdown() - Remediation: Upgrade to ≥ 1.13.0
Affected Systems
- Python applications that use the
justhtmllibrary for HTML‑to‑Markdown conversion. - Content Management Systems (CMS) that rely on
justhtmlfor processing user‑generated content. - Applications that pipe
justhtmloutput directly into Markdown‑to‑HTML engines such as GFM or CommonMark.
Affected versions: justhtml ` tags.
Exploit Details
- Security Research PoC: GitHub Advisory – GHSA-5VP3-3CG6-2RQ3 – demonstrates a Markdown code‑block breakout using backticks inside a “ element.
Mitigation Strategies
- Upgrade
justhtmlto version 1.13.0 or newer. - Apply secondary HTML sanitization on the output of the Markdown renderer.
- Configure downstream Markdown parsers to disable raw HTML rendering.
- Deploy a robust Content Security Policy (CSP) that restricts inline JavaScript execution.
Remediation Steps
Identify all projects that depend on
justhtml.Update dependency specifications in
requirements.txtorpyproject.tomltojusthtml>=1.13.0.Run the package manager update, e.g.:
pip install --upgrade justhtmlVerify the fix by executing the provided PoC payload against the updated application.
Review and harden downstream Markdown rendering configurations to follow security best practices.