Description
Versions of showdown prior to 1.9.1 are vulnerable to Reverse Tabnabbing. The package uses target='_blank' in anchor tags, allowing attackers to access window.opener for the original page when opening links. This is commonly used for phishing attacks.
Recommendation
Update the showdown package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.9.1
- Patched version(s): 1.9.1
References
Related Issues
- Reverse Tabnabbing in quill - Vulnerability
- Reverse Tabnapping in swagger-ui - Vulnerability
- @saltcorn/plugins-loader unsanitized plugin name leads to a remote code execution (RCE) vulnerability when creating plug - Vulnerability
- SillyTavern has a SSRF vulnerability in the CORS proxy middleware - CVE-2026-44652
You might also like:
- Tags:
- npm
- showdown
Anything's wrong? Let us know Last updated on April 05, 2023


