MarkTwo Cross-Site Scripting Vulnerability in Markdown Editor

A Cross-Site Scripting (XSS) vulnerability has been identified in the MarkTwo Markdown Editor, specifically in commit e3a1d3f90cce4ea9c26efcbbf3a1cbfb9dcdb298, which is the latest version as of May 2025. This vulnerability allows remote attackers to execute arbitrary code by injecting a crafted script into the editor interface. The issue arises because the application fails to properly sanitize user-generated Markdown before rendering it. Exploitation of this vulnerability could result in session hijacking, theft of credentials, or execution of arbitrary client-side code in the context of the user's browser.

Impact

Exploitation of this vulnerability could lead to session hijacking, credential theft, or execution of arbitrary client-side code in the context of the victim's browser.

Reproduction

To reproduce this vulnerability, inject a script payload into the Markdown editor. The absence of proper input sanitization will allow the script to be executed, demonstrating the XSS vulnerability.