K0W4Lzk1

**Name of the Vulnerable Software and Affected Versions** marko versions prior to 5.38.36 @marko/runtime-tags versions prior to 6.0.164 **Description** Marko is a declarative, HTML-based language for building web apps. A flaw exists where the runtime fails to prevent tag breakout when dynamic text is interpolated into a `<script>` or `<style>` tag and the closing tag uses non-lowercase casing. Because the browser parser treats HTML tag names as case-insensitive, an attacker can use mixed-case tags such as `</SCRIPT>` or `</sTyLe>` to bypass case-sensitive regular expressions used by the framework. This allows the attacker to terminate the script or style context and inject arbitrary HTML or JavaScript, leading to cross-site scripting. This issue specifically affects templates that explicitly interpolate untrusted data inside these blocks. **Recommendations** Update marko to version 5.38.36. Update @marko/runtime-tags to version 6.0.164. As a temporary workaround, pre-sanitize untrusted data by normalizing `</script` and `</style` (including mixed-case variants) before interpolation, or avoid direct interpolation of untrusted values inside `<script>` or `<style>` tags.