{"id":"CVE-2020-26298","details":"Redcarpet is a Ruby library for Markdown processing. In Redcarpet before version 3.5.1, there is an injection vulnerability which can enable a cross-site scripting attack. In affected versions no HTML escaping was being performed when processing quotes. This applies even when the `:escape_html` option was being used. This is fixed in version 3.5.1 by the referenced commit.","aliases":["GHSA-q3wr-qw3g-3p4h"],"modified":"2026-05-18T16:32:38.483555Z","published":"2021-01-11T19:15:13.133Z","related":["SUSE-SU-2021:3728-1","SUSE-SU-2021:3729-1"],"database_specific":{"unresolved_ranges":[{"vendor_product":"debian:debian_linux","extracted_events":[{"last_affected":"9.0"},{"last_affected":"10.0"}],"source":"CPE_FIELD","cpes":["cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"]}]},"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFMYDIONVWATY7EB6EARDVXT47AYCRNM/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNO4ZZUPGAEUXKQL4G2HRIH7CUZKPCT6/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PXNNWHHAPREDM3XJDACYRTK7DBMUONBI/"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-q3wr-qw3g-3p4h"},{"type":"ADVISORY","url":"https://github.com/vmg/redcarpet/blob/master/CHANGELOG.md#version-351-security"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2021/01/msg00014.html"},{"type":"ADVISORY","url":"https://rubygems.org/gems/redcarpet"},{"type":"ADVISORY","url":"https://www.debian.org/security/2021/dsa-4831"},{"type":"FIX","url":"https://github.com/vmg/redcarpet/commit/a699c82292b17c8e6a62e1914d5eccc252272793"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/vmg/redcarpet","events":[{"introduced":"0"},{"fixed":"a699c82292b17c8e6a62e1914d5eccc252272793"}],"database_specific":{"cpe":"cpe:2.3:a:redcarpet_project:redcarpet:*:*:*:*:*:ruby:*:*","extracted_events":[{"introduced":"0"},{"fixed":"3.5.1"}],"source":["CPE_FIELD","REFERENCES"]}}],"versions":["v3.5.0","v3.4.0","v3.3.4","v3.3.3","v3.3.1","v3.3.2","v3.3.0","v3.2.0","v3.1.1","v3.0.0","v2.2.2","v2.2.1","v2.2.0","v2.1.1","v2.1.0","v2.0.1","v2.0.0","v1.17.2"],"database_specific":{"vanir_signatures_modified":"2026-05-18T16:32:38Z","source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-26298.json","vanir_signatures":[{"target":{"file":"ext/redcarpet/html.c"},"id":"CVE-2020-26298-bc2a74b8","signature_type":"Line","deprecated":false,"source":"https://github.com/vmg/redcarpet/commit/a699c82292b17c8e6a62e1914d5eccc252272793","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["198197667677715849428623281048180277561","54830763969004594676731107425085190938","97811103998125843691871254455650728211","139603207368515949909553120480638757958","313289017949240420953274720090354965485"]}},{"target":{"function":"rndr_quote","file":"ext/redcarpet/html.c"},"id":"CVE-2020-26298-ccd1bdea","signature_type":"Function","deprecated":false,"source":"https://github.com/vmg/redcarpet/commit/a699c82292b17c8e6a62e1914d5eccc252272793","signature_version":"v1","digest":{"function_hash":"244524669993411248594301671481377802264","length":249}}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}