CVE-2020-11888

python-markdown2 through 2.3.8 allows XSS because element names are mishandled unless a w+ match succeeds. For example, an attack might use elementname@ or elementname- with an onclick attribute.
Source: NIST
CVE-2020-11888