{"id":"CVE-2022-23647","summary":"Cross-site Scripting in Prism","details":"Prism is a syntax highlighting library. Starting with version 1.14.0 and prior to version 1.27.0, Prism's command line plugin can be used by attackers to achieve a cross-site scripting attack. The command line plugin did not properly escape its output, leading to the input text being inserted into the DOM as HTML code. Server-side usage of Prism is not impacted. Websites that do not use the Command Line plugin are also not impacted. This bug has been fixed in v1.27.0. As a workaround, do not use the command line plugin on untrusted inputs, or sanitize all code blocks (remove all HTML code text) from all code blocks that use the command line plugin.","aliases":["GHSA-3949-f494-cm99"],"modified":"2026-04-02T07:49:08.871822Z","published":"2022-02-18T14:50:10Z","database_specific":{"cwe_ids":["CWE-79"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/23xxx/CVE-2022-23647.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/23xxx/CVE-2022-23647.json"},{"type":"ADVISORY","url":"https://github.com/PrismJS/prism/security/advisories/GHSA-3949-f494-cm99"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23647"},{"type":"FIX","url":"https://github.com/PrismJS/prism/commit/e002e78c343154e1c0ddf9d6a0bb85689e1a5c7c"},{"type":"FIX","url":"https://github.com/PrismJS/prism/pull/3341"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/prismjs/prism","events":[{"introduced":"435eb2e6cd94948627b044255aab7605235bdfa5"},{"fixed":"703881e14bf7530b180fad6052e535d0085315cd"}]}],"versions":["v1.14.0","v1.15.0","v1.16.0","v1.17.0","v1.17.1","v1.18.0","v1.19.0","v1.20.0","v1.21.0","v1.22.0","v1.23.0","v1.24.0","v1.24.1","v1.25.0","v1.26.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-23647.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:L"}]}