This CommonMark file demonstrates some potential exploits if untrusted input is rendered with a compliant renderer. The point of this file isn't to say that CommonMark is unsafe --- the features below are very useful in many situations and are worth having in the CommonMark spec --- but that it is not safe to give untrusted input to CommonMark renderers without taking precautions.
Github doesn't render gists using CommonMark, so they won't appear as exploits below. Look at the source of this gist for the actual CommonMark.
This link will execute a script.