CVE-2021-47837

Description

Markdownify 1.2.0 contains a persistent cross-site scripting vulnerability that allows attackers to store malicious payloads within markdown files. Attackers can upload crafted markdown files with embedded scripts that execute when the file is opened, potentially enabling remote code execution.

CVSS Details

CVSS Score

7.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Markdownify 1.2.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2021-47837
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2021-47837
[3] CVE Details https://www.cvedetails.com/cve/CVE-2021-47837/
[4] VulDB https://vuldb.com/cve/CVE-2021-47837
[5] https://github.com/amitmerchant1990/electron-markdownify
[6] https://imgur.com/a/T4jBoiS
[7] https://www.exploit-db.com/exploits/49835
[8] https://www.vulncheck.com/advisories/markdownify-persistent-cross-site-scripting
[9] https://www.vulncheck.com/advisories/markdownify-persistent-cross-site-scripting

Raw JSON Data

JSON

{"cve": {"id": "CVE-2021-47837", "sourceIdentifier": "[email protected]", "published": "2026-01-16T19:16:09.223", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Markdownify 1.2.0 contains a persistent cross-site scripting vulnerability that allows attackers to store malicious payloads within markdown files. Attackers can upload crafted markdown files with embedded scripts that execute when the file is opened, potentially enabling remote code execution."}, {"lang": "es", "value": "Markdownify 1.2.0 contiene una vulnerabilidad persistente de cross-site scripting que permite a los atacantes almacenar cargas útiles maliciosas dentro de archivos markdown. Los atacantes pueden subir archivos markdown manipulados con scripts incrustados que se ejecutan cuando se abre el archivo, lo que podría permitir la ejecución remota de código."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://github.com/amitmerchant1990/electron-markdownify", "source": "[email protected]"}, {"url": "https://imgur.com/a/T4jBoiS", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/49835", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/markdownify-persistent-cross-site-scripting", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/markdownify-persistent-cross-site-scripting", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}