Skip to content

[GHSA-vgm8-mvfh-rj89] Improper Neutralization of Input During Web Page... #6693

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
caverav wants to merge 1 commit into from
Closed

[GHSA-vgm8-mvfh-rj89] Improper Neutralization of Input During Web Page... #6693

caverav wants to merge 1 commit into from
+15 −8

Conversation

@caverav
Copy link

@caverav caverav commented Jan 22, 2026

Updates

  • Affected products
  • CVSS v3
  • CVSS v4
  • Source code location
  • Summary

Comments
I would like credits as the Finder, as I was the security researcher that found this vulnerability.

Copilot AI review requested due to automatic review settings January 22, 2026 14:09
Copilot AI reviewed Jan 22, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates a security advisory for CVE-2025-7969, a cross-site scripting (XSS) vulnerability in markdown-it version 14.1.0. The changes enhance the advisory with additional metadata and correct categorization of references.

Changes:

  • Added summary field describing the XSS vulnerability
  • Updated CVSS scoring to remove v3 and simplify v4 metrics
  • Populated affected products section with npm package details

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@github-actions github-actions bot changed the base branch from main to caverav/advisory-improvement-6693 January 22, 2026 14:11
@shelbyc
Copy link
Contributor

shelbyc commented Jan 22, 2026

Hi @caverav, as with #6692, I'm closing this PR without adding the advisory and Analyst credit because I can't change advisories without adding them to the reviewed data set. My teammates and I chose not to review GHSA-vgm8-mvfh-rj89 when it first landed in our review queue in 2025.

@shelbyc shelbyc closed this Jan 22, 2026
@github-actions github-actions bot deleted the caverav-GHSA-vgm8-mvfh-rj89 branch January 22, 2026 18:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@caverav @shelbyc