Advisories for Npm/Remarkable package

2020
2019

XSS via URLs

In remarkable lib/parser_inline.js mishandles URL filtering, which allows attackers to trigger XSS via unprintable characters.

2018
2017
2014

Content Injection

Certain input when passed into remarkable will bypass the bad prototcol check that disallows the javascript: scheme allowing for javascript: url's to be injected into the rendered content.