This affects all versions of package markdown-it-toc. The title of the generated toc and the contents of the header are not escaped.

markdown-it-toc Cross-site Scripting due to title of generated toc and contents of header not being escaped