In remarkable 1.7.1, lib/parser_inline.js mishandles URL filtering, which allows attackers to trigger XSS via unprintable characters, as demonstrated by a \x0ejavascript: URL.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| remarkable(npm) | 0 | 1.7.2 | N/A |
CVSS Metrics
