πŸ” CVE Alert

CVE-2026-41680

UNKNOWN 0.0

Marked: OOM Denial of Service via Infinite Recursion in marked Tokenizer

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Marked is a markdown parser and compiler. From 18.0.0 to 18.0.1, a critical Denial of Service (DoS) vulnerability exists in marked. By providing a specific 3-byte input sequence a tab, a vertical tab, and a newline (\x09\x0b\n)β€”an unauthenticated attacker can trigger an infinite recursion loop during parsing. This leads to unbounded memory allocation, causing the host Node.js application to crash via Memory Exhaustion (OOM). This vulnerability is fixed in 18.0.2.

CWE CWE-400 CWE-674 CWE-835
Vendor markedjs
Product marked
Published Apr 24, 2026
Last Updated Apr 24, 2026
Stay Ahead of the Next One

Get instant alerts for markedjs marked

Be the first to know when new unknown vulnerabilities affecting markedjs marked are published β€” delivered to Slack, Telegram or Discord.

Get Free Alerts β†’ Free Β· No credit card Β· 60 sec setup

Affected Versions

markedjs / marked
>= 18.0.0, < 18.0.2

References

NVD β†— CVE.org β†— EPSS Data β†—
github.com: https://github.com/markedjs/marked/security/advisories/GHSA-6v9c-7cg6-27q7