kramdown (RubyGems) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the RubyGems package kramdown, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (2)
CVE-2020-14001 — CVSS 9.8 (critical): The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read…
CVE-2021-28834 — CVSS 9.8 (critical): Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters namespace, and thus arbitrary classes can be instantiated.