{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-59940", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-09-23T14:33:49.505Z", "datePublished": "2025-09-29T22:27:30.087Z", "dateUpdated": "2025-09-30T14:34:58.817Z"}, "containers": {"cna": {"title": "mkdocs-include-markdown-plugin susceptible to unvalidated input colliding with substitution placeholders", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/mondeja/mkdocs-include-markdown-plugin/security/advisories/GHSA-v39m-5m9j-m9w9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/mondeja/mkdocs-include-markdown-plugin/security/advisories/GHSA-v39m-5m9j-m9w9"}, {"name": "https://github.com/mondeja/mkdocs-include-markdown-plugin/issues/274", "tags": ["x_refsource_MISC"], "url": "https://github.com/mondeja/mkdocs-include-markdown-plugin/issues/274"}, {"name": "https://github.com/mondeja/mkdocs-include-markdown-plugin/pull/277", "tags": ["x_refsource_MISC"], "url": "https://github.com/mondeja/mkdocs-include-markdown-plugin/pull/277"}, {"name": "https://github.com/mondeja/mkdocs-include-markdown-plugin/commit/7466d67aa0de8ffbc427204ad2475fed07678915", "tags": ["x_refsource_MISC"], "url": "https://github.com/mondeja/mkdocs-include-markdown-plugin/commit/7466d67aa0de8ffbc427204ad2475fed07678915"}], "affected": [{"vendor": "mondeja", "product": "mkdocs-include-markdown-plugin", "versions": [{"version": "< 7.1.8", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-09-29T22:27:30.087Z"}, "descriptions": [{"lang": "en", "value": "mkdocs-include-markdown-plugin is an Mkdocs Markdown includer plugin. In versions 7.1.7 and below, there is a vulnerability where unvalidated input can collide with substitution placeholders. This issue is fixed in version 7.1.8."}], "source": {"advisory": "GHSA-v39m-5m9j-m9w9", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-30T14:34:50.885959Z", "id": "CVE-2025-59940", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-30T14:34:58.817Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-59940", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-30T14:34:50.885959Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-30T14:34:55.842Z"}}], "cna": {"title": "mkdocs-include-markdown-plugin susceptible to unvalidated input colliding with substitution placeholders", "source": {"advisory": "GHSA-v39m-5m9j-m9w9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "mondeja", "product": "mkdocs-include-markdown-plugin", "versions": [{"status": "affected", "version": "< 7.1.8"}]}], "references": [{"url": "https://github.com/mondeja/mkdocs-include-markdown-plugin/security/advisories/GHSA-v39m-5m9j-m9w9", "name": "https://github.com/mondeja/mkdocs-include-markdown-plugin/security/advisories/GHSA-v39m-5m9j-m9w9", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/mondeja/mkdocs-include-markdown-plugin/issues/274", "name": "https://github.com/mondeja/mkdocs-include-markdown-plugin/issues/274", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/mondeja/mkdocs-include-markdown-plugin/pull/277", "name": "https://github.com/mondeja/mkdocs-include-markdown-plugin/pull/277", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/mondeja/mkdocs-include-markdown-plugin/commit/7466d67aa0de8ffbc427204ad2475fed07678915", "name": "https://github.com/mondeja/mkdocs-include-markdown-plugin/commit/7466d67aa0de8ffbc427204ad2475fed07678915", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "mkdocs-include-markdown-plugin is an Mkdocs Markdown includer plugin. In versions 7.1.7 and below, there is a vulnerability where unvalidated input can collide with substitution placeholders. This issue is fixed in version 7.1.8."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-09-29T22:27:30.087Z"}}}, "cveMetadata": {"cveId": "CVE-2025-59940", "state": "PUBLISHED", "dateUpdated": "2025-09-30T14:34:58.817Z", "dateReserved": "2025-09-23T14:33:49.505Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-09-29T22:27:30.087Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "mkdocs-include-markdown-plugin is an Mkdocs Markdown includer plugin. In versions 7.1.7 and below, there is a vulnerability where unvalidated input can collide with substitution placeholders. This issue is fixed in version 7.1.8."}], "id": "CVE-2025-59940", "lastModified": "2025-10-02T19:12:42.843", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-09-29T23:15:31.967", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/mondeja/mkdocs-include-markdown-plugin/commit/7466d67aa0de8ffbc427204ad2475fed07678915"}, {"source": "security-advisories@github.com", "url": "https://github.com/mondeja/mkdocs-include-markdown-plugin/issues/274"}, {"source": "security-advisories@github.com", "url": "https://github.com/mondeja/mkdocs-include-markdown-plugin/pull/277"}, {"source": "security-advisories@github.com", "url": "https://github.com/mondeja/mkdocs-include-markdown-plugin/security/advisories/GHSA-v39m-5m9j-m9w9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "mkdocs-include-markdown-plugin: mkdocs-include-markdown-plugin susceptible to unvalidated input colliding with substitution placeholders", "id": "2400372", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2400372"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "status": "draft"}, "cwe": "CWE-20", "details": ["mkdocs-include-markdown-plugin is an Mkdocs Markdown includer plugin. In versions 7.1.7 and below, there is a vulnerability where unvalidated input can collide with substitution placeholders. This issue is fixed in version 7.1.8."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-59940", "package_state": [{"cpe": "cpe:/a:redhat:assisted_installer:2", "fix_state": "Fix deferred", "package_name": "rhai/assisted-installer-agent-rhel9", "product_name": "Assisted Installer for Red Hat OpenShift Container Platform 2"}, {"cpe": "cpe:/a:redhat:assisted_installer:2", "fix_state": "Fix deferred", "package_name": "rhai/assisted-installer-controller-rhel9", "product_name": "Assisted Installer for Red Hat OpenShift Container Platform 2"}, {"cpe": "cpe:/a:redhat:assisted_installer:2", "fix_state": "Fix deferred", "package_name": "rhai/assisted-installer-rhel9", "product_name": "Assisted Installer for Red Hat OpenShift Container Platform 2"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Fix deferred", "package_name": "multicluster-engine/assisted-installer-agent-rhel9", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Fix deferred", "package_name": "multicluster-engine/assisted-installer-controller-rhel9", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Fix deferred", "package_name": "multicluster-engine/assisted-installer-rhel9", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Fix deferred", "package_name": "multicluster-engine/assisted-service-8-rhel8", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Fix deferred", "package_name": "multicluster-engine/assisted-service-9-rhel9", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-agent-installer-api-server-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-agent-installer-csr-approver-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-agent-installer-node-agent-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-agent-installer-orchestrator-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2025-09-29T22:27:30Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-59940\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-59940\nhttps://github.com/mondeja/mkdocs-include-markdown-plugin/commit/7466d67aa0de8ffbc427204ad2475fed07678915\nhttps://github.com/mondeja/mkdocs-include-markdown-plugin/issues/274\nhttps://github.com/mondeja/mkdocs-include-markdown-plugin/pull/277\nhttps://github.com/mondeja/mkdocs-include-markdown-plugin/security/advisories/GHSA-v39m-5m9j-m9w9"], "threat_severity": "Moderate"}

{"created": "2025-09-30T08:47:46.086502+00:00", "updated": "2025-09-30T08:47:46.086565+00:00", "vendors": ["mkdocs", "mkdocs$PRODUCT$mkdocs", "mondeja", "mondeja$PRODUCT$mkdocs-include-markdown-plugin"]}