{"id":"CVE-2020-26298","details":"Redcarpet is a Ruby library for Markdown processing. In Redcarpet before version 3.5.1, there is an injection vulnerability which can enable a cross-site scripting attack. In affected versions no HTML escaping was being performed when processing quotes. This applies even when the `:escape_html` option was being used. This is fixed in version 3.5.1 by the referenced commit.","aliases":["GHSA-q3wr-qw3g-3p4h"],"modified":"2026-04-11T16:25:29.816743Z","published":"2021-01-11T19:15:13.133Z","related":["GHSA-q3wr-qw3g-3p4h","SUSE-SU-2021:3728-1","SUSE-SU-2021:3729-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFMYDIONVWATY7EB6EARDVXT47AYCRNM/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNO4ZZUPGAEUXKQL4G2HRIH7CUZKPCT6/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PXNNWHHAPREDM3XJDACYRTK7DBMUONBI/"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-q3wr-qw3g-3p4h"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2021/01/msg00014.html"},{"type":"ADVISORY","url":"https://rubygems.org/gems/redcarpet"},{"type":"ADVISORY","url":"https://www.debian.org/security/2021/dsa-4831"},{"type":"ADVISORY","url":"https://github.com/vmg/redcarpet/blob/master/CHANGELOG.md#version-351-security"},{"type":"FIX","url":"https://github.com/vmg/redcarpet/commit/a699c82292b17c8e6a62e1914d5eccc252272793"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/vmg/redcarpet","events":[{"introduced":"0"},{"fixed":"a699c82292b17c8e6a62e1914d5eccc252272793"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"3.5.1"}]}}],"versions":["v1.17.2","v2.0.0","v2.0.1","v2.1.0","v2.1.1","v2.2.0","v2.2.1","v2.2.2","v3.0.0","v3.1.1","v3.2.0","v3.3.0","v3.3.1","v3.3.2","v3.3.3","v3.3.4","v3.4.0","v3.5.0"],"database_specific":{"vanir_signatures":[{"signature_version":"v1","signature_type":"Line","target":{"file":"ext/redcarpet/html.c"},"digest":{"line_hashes":["198197667677715849428623281048180277561","54830763969004594676731107425085190938","97811103998125843691871254455650728211","139603207368515949909553120480638757958","313289017949240420953274720090354965485"],"threshold":0.9},"id":"CVE-2020-26298-bc2a74b8","source":"https://github.com/vmg/redcarpet/commit/a699c82292b17c8e6a62e1914d5eccc252272793","deprecated":false},{"signature_version":"v1","signature_type":"Function","target":{"file":"ext/redcarpet/html.c","function":"rndr_quote"},"digest":{"function_hash":"244524669993411248594301671481377802264","length":249},"id":"CVE-2020-26298-ccd1bdea","source":"https://github.com/vmg/redcarpet/commit/a699c82292b17c8e6a62e1914d5eccc252272793","deprecated":false}],"vanir_signatures_modified":"2026-04-11T16:25:29Z","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-26298.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}