Severity: high

Cross-Site Scripting



All versions of hexo-admin are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize rendered markdown, allowing attackers to execute arbitrary JavaScript in a victim's browser if they are able to create new posts.


No fix is currently available. Consider using an alternative package until a fix is made available.


Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory Published
    Oct 18th, 2019
  2. reported

    Reported by Chintan
    Oct 14th, 2019