CVE-2026-41591

Name of the Vulnerable Software and Affected Versions marko versions prior to 5.38.36 @marko/runtime-tags versions prior to 6.0.164

Description Marko is a declarative, HTML-based language for building web apps. A flaw exists where the runtime fails to prevent tag breakout when dynamic text is interpolated into a <script> or <style> tag and the closing tag uses non-lowercase casing. Because the browser parser treats HTML tag names as case-insensitive, an attacker can use mixed-case tags such as </SCRIPT> or </sTyLe> to bypass case-sensitive regular expressions used by the framework. This allows the attacker to terminate the script or style context and inject arbitrary HTML or JavaScript, leading to cross-site scripting. This issue specifically affects templates that explicitly interpolate untrusted data inside these blocks.

Recommendations Update marko to version 5.38.36. Update @marko/runtime-tags to version 6.0.164. As a temporary workaround, pre-sanitize untrusted data by normalizing </script and </style (including mixed-case variants) before interpolation, or avoid direct interpolation of untrusted values inside <script> or <style> tags.