CVE-2026-40890
github.com/gomarkdown/markdown: Out-of-bounds Read in SmartypantsRenderer
CVSS Score
7.5
EPSS Score
0.0%
EPSS Percentile
0th
The package `github.com/gomarkdown/markdown` is a Go library for parsing Markdown text and rendering as HTML. Processing a malformed input containing a < character that is not followed by a > character anywhere in the remaining text with a SmartypantsRenderer will lead to Out of Bounds read or a panic. This vulnerability is fixed with commit 759bbc3e32073c3bc4e25969c132fc520eda2778.
| CWE | CWE-125 |
| Vendor | gomarkdown |
| Product | markdown |
| Published | Apr 21, 2026 |
| Last Updated | Apr 21, 2026 |
Stay Ahead of the Next One
Get instant alerts for gomarkdown markdown
Be the first to know when new high vulnerabilities affecting gomarkdown markdown are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Affected Versions
gomarkdown / markdown
< 759bbc3e32073c3bc4e25969c132fc520eda2778