CVE-2026-41680

216.73.217.22

· Published 24/04/2026 18:16 · Modified 24/04/2026 19:17

Labels: CVE-2026-41680 2026-04-24 CVE-2026-41680 CWE-400 [email protected]

Essential information

Published: 24/04/2026 18:16
Modified: 24/04/2026 19:17
Author: —
Creator: —
CVSS: 8.7 HIGH (v3) 8.7 HIGH (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

Marked is a markdown parser and compiler. From 18.0.0 to 18.0.1, a critical Denial of Service (DoS) vulnerability exists in marked. By providing a specific 3-byte input sequence a tab, a vertical tab, and a newline (\x09\x0b\n)—an unauthenticated attacker can trigger an infinite recursion loop during parsing. This leads to unbounded memory allocation, causing the host Node.js application to crash via Memory Exhaustion (OOM). This vulnerability is fixed in 18.0.2.

NVD status

Status: Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
marked / marked	`cpe:2.3:a:marked:marked:18.0.0-18.0.1:::::::*`
marked / marked	`cpe:2.3:a:marked:marked:18.0.2:::::::*`