CVE-2026-41591: Marko: XSS via case-insensitive script/style closing tag bypass in runtime HTML escaping

April 22, 2026

When dynamic text is interpolated into a <script> or <style> tag the Marko runtime failed to prevent tag breakout when the closing tag used non-lowercase casing. An attacker able to place input inside a <script> or <style> block could break out of the tag with </SCRIPT>, </Style>, etc. and inject arbitrary HTML/JavaScript, resulting in cross-site scripting.

References

github.com/advisories/GHSA-x9fj-57fh-c8wq
github.com/marko-js/marko
github.com/marko-js/marko/security/advisories/GHSA-x9fj-57fh-c8wq
nvd.nist.gov/vuln/detail/CVE-2026-41591

Code Behaviors & Features

Detect and mitigate CVE-2026-41591 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →