CVE-2026-41680
Last modified
CVE-2026-41680 is a high-severity vulnerability rated 8.7/10 on the CVSS scale. Marked is a markdown parser and compiler. From 18.0.0 to 18.0.1, a critical Denial of Service (DoS) vulnerability exists in marked. EPSS estimates a 0.34% chance of exploitation in the next 30 days.
Description
Marked is a markdown parser and compiler. From 18.0.0 to 18.0.1, a critical Denial of Service (DoS) vulnerability exists in marked. By providing a specific 3-byte input sequence a tab, a vertical tab, and a newline (\x09\x0b\n)—an unauthenticated attacker can trigger an infinite recursion loop during parsing. This leads to unbounded memory allocation, causing the host Node.js application to crash via Memory Exhaustion (OOM). This vulnerability is fixed in 18.0.2.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Marked Project | Marked | >= 18.0.0, < 18.0.2 |
References
- https://github.com/markedjs/marked/security/advisories/GHSA-6v9c-7cg6-27q7Exploit, Vendor Advisory
- https://github.com/markedjs/marked/security/advisories/GHSA-6v9c-7cg6-27q7Exploit, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-41680?
How severe is CVE-2026-41680?
How do I fix CVE-2026-41680?
Are you affected by CVE-2026-41680?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST