{"id":"CVE-2020-26298","details":"Redcarpet is a Ruby library for Markdown processing. In Redcarpet before version 3.5.1, there is an injection vulnerability which can enable a cross-site scripting attack. In affected versions no HTML escaping was being performed when processing quotes. This applies even when the `:escape_html` option was being used. This is fixed in version 3.5.1 by the referenced commit.","aliases":["GHSA-q3wr-qw3g-3p4h"],"modified":"2026-05-30T15:45:55.435731Z","published":"2021-01-11T19:15:13.133Z","related":["SUSE-SU-2021:3728-1","SUSE-SU-2021:3729-1"],"database_specific":{"unresolved_ranges":[{"extracted_events":[{"last_affected":"9.0"},{"last_affected":"10.0"}],"vendor_product":"debian:debian_linux","cpes":["cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"],"source":"CPE_STRING"}]},"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFMYDIONVWATY7EB6EARDVXT47AYCRNM/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNO4ZZUPGAEUXKQL4G2HRIH7CUZKPCT6/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PXNNWHHAPREDM3XJDACYRTK7DBMUONBI/"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-q3wr-qw3g-3p4h"},{"type":"ADVISORY","url":"https://github.com/vmg/redcarpet/blob/master/CHANGELOG.md#version-351-security"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2021/01/msg00014.html"},{"type":"ADVISORY","url":"https://rubygems.org/gems/redcarpet"},{"type":"ADVISORY","url":"https://www.debian.org/security/2021/dsa-4831"},{"type":"FIX","url":"https://github.com/vmg/redcarpet/commit/a699c82292b17c8e6a62e1914d5eccc252272793"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/vmg/redcarpet","events":[{"introduced":"0"},{"fixed":"a699c82292b17c8e6a62e1914d5eccc252272793"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"3.5.1"}],"cpe":"cpe:2.3:a:redcarpet_project:redcarpet:*:*:*:*:*:ruby:*:*","source":["CPE_RANGE","REFERENCES"]}}],"versions":["v3.5.0","v3.4.0","v3.3.4","v3.3.3","v3.3.1","v3.3.2","v3.3.0","v3.2.0","v3.1.1","v3.0.0","v2.2.2","v2.2.1","v2.2.0","v2.1.1","v2.1.0","v2.0.1","v2.0.0","v1.17.2"],"database_specific":{"vanir_signatures_modified":"2026-05-30T15:45:55Z","vanir_signatures":[{"signature_version":"v1","deprecated":false,"target":{"file":"ext/redcarpet/html.c"},"digest":{"threshold":0.9,"line_hashes":["198197667677715849428623281048180277561","54830763969004594676731107425085190938","97811103998125843691871254455650728211","139603207368515949909553120480638757958","313289017949240420953274720090354965485"]},"id":"CVE-2020-26298-bc2a74b8","signature_type":"Line","source":"https://github.com/vmg/redcarpet/commit/a699c82292b17c8e6a62e1914d5eccc252272793"},{"signature_version":"v1","deprecated":false,"target":{"function":"rndr_quote","file":"ext/redcarpet/html.c"},"digest":{"length":249,"function_hash":"244524669993411248594301671481377802264"},"id":"CVE-2020-26298-ccd1bdea","signature_type":"Function","source":"https://github.com/vmg/redcarpet/commit/a699c82292b17c8e6a62e1914d5eccc252272793"}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-26298.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}