-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from improper input sanitization in markdown renderers. The commit diff shows removal of lodash's escape() function from multiple parser components (Bold, Emphasis, etc.) that process user-supplied content. These renderers recursively pass unescaped user input to the marked parser, allowing nested XSS payloads. The functions are vulnerable because they process raw user input without HTML entity encoding before markdown rendering, enabling script injection through crafted markdown syntax. The high confidence comes from the explicit removal of escaping in the patch and XSS-prone pattern of rendering untrusted content without sanitization.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| github.com/usememos/memos | go | <= 0.9.0 | 0.9.1 |