Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The package joyqi/hyper-down from 0.0.0 is vulnerable to Cross-site Scripting (XSS) because the module of parse markdown does not filter the href attribute very well.