Versions 1.4.0 and earlier of `remarkable` are affected by a cross-site scripting vulnerability. This occurs because vulnerable versions of `remarkable` did not properly whitelist link protocols, and consequently allowed `javascript:` to be used.

### Proof of Concept

Markdown Source:
```
[link](<javascript:alert(1)>)
```

Rendered HTML:
```
<a href="javascript:alert(1)">link</a>
```

## Recommendation

Update to version 1.4.1 or later

Affected Packages

npm remarkable

Affected versions: 0 (fixed in 1.4.1)

Related CVEs

CVE-2014-10065

Key Information

GHSA ID

GHSA-f9vc-q3hh-qhfv

Published

August 31, 2020 10:56 PM

Last Modified

August 31, 2020 6:08 PM

CVSS Score

7.5 /10

Primary Ecosystem

npm

Primary Package

remarkable

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 5, 2025 6:26 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.