GHSA-9q5w-79cv-947m · Severity: critical · Ecosystem: npm — Unsafe defaults in `remark-html`
remark-html is an open source nodejs library which compiles Markdown to HTML. In affected versions the documentation of remark-html has mentioned that it was safe by default. In practice the default was never safe and had to be opted into. That is, user input was not sanitized. This means arbitrary HTML can be passed through leading to potential XSS attacks. The problem has been patched in 13.0.2 and 14.0.1: `remark-html` is now safe by default, and the implementation matches the documentation. On older affected versions, pass `sanitize: true` if you cannot update.
Conclusion & alert: CVE-2021-39199 is rated Moderate Risk (61.3/100): CVSS Critical severity, with medium exploitation likelihood (EPSS 1.07%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-07-01 | 1.04% | 1.07% | +0.03% |
| 2 | 2026-06-15 | 0.33% | 1.04% | +0.71% |
| 3 | 2025-11-21 | — | 0.33% | — |
Full EPSS history (12 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 10.0 | 3.1 | CRITICAL |
|
3.9 | 5.8 | [email protected] |
| 6.1 | 3.1 | MEDIUM |
|
2.8 | 2.7 | [email protected] |
| 4.3 | 2.0 | MEDIUM |
|
8.6 | 2.9 | [email protected] |
GHSA-9q5w-79cv-947m · Severity: critical · Ecosystem: npm — Unsafe defaults in `remark-html`
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| remark | remark-html | < 13.0.2 | cpe:2.3:a:remark:remark-html:*:*:*:*:*:node.js:*:* |
| remark | remark-html | >= 14.0.0, < 14.0.1 | cpe:2.3:a:remark:remark-html:*:*:*:*:*:node.js:*:* |
| URL | Tags |
|---|---|
| https://github.com/remarkjs/remark-html/commit/b75c9dde582ad87ba498e369c033dc8a350478c1 | Patch Third Party Advisory |
| https://github.com/remarkjs/remark-html/releases/tag/14.0.1 | Patch Release Notes Third Party Advisory |
| https://github.com/remarkjs/remark-html/security/advisories/GHSA-9q5w-79cv-947m | Patch Third Party Advisory |
| https://www.npmjs.com/package/remark-html | Product Third Party Advisory |