Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in markdown-it allows Cross-Site Scripting (XSS). This vulnerability is associated with program files lib/renderer.mjs. This issue affects markdown-it: 14.1.0.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable yes

Technical Impact partial

Affected Vendors & Products

No data.

No data.

No data.

References
Link Providers
https://fluidattacks.com/advisories/fito cve-icon cve-icon cve-icon cve-icon
https://github.com/markdown-it/markdown-it cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-7969 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-7969 cve-icon
History

Fri, 22 Aug 2025 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L'}

threat_severity

Moderate

Thu, 21 Aug 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 21 Aug 2025 17:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in markdown-it allows Cross-Site Scripting (XSS). This vulnerability is associated with program files lib/renderer.mjs. This issue affects markdown-it: 14.1.0.
Title Markdown-it 14.1.0 - Cross-site scripting (XSS)
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}
cve-icon MITRE

Status: PUBLISHED

Assigner: Fluid Attacks

Published: 2025-08-21T16:40:05.915Z

Updated: 2025-08-21T17:31:23.103Z

Reserved: 2025-07-21T18:41:55.203Z

Link: CVE-2025-7969

cve-icon Vulnrichment

Updated: 2025-08-21T17:22:08.233Z

cve-icon NVD

Status : Received

Published: 2025-08-21T17:15:32.893

Modified: 2025-08-21T18:15:37.350

Link: CVE-2025-7969

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-08-21T16:40:05Z

Links: CVE-2025-7969 - Bugzilla