CVE-2026-41680 | THREATINT

Description

Marked is a markdown parser and compiler. From 18.0.0 to 18.0.1, a critical Denial of Service (DoS) vulnerability exists in marked. By providing a specific 3-byte input sequence a tab, a vertical tab, and a newline (\x09\x0b\n)—an unauthenticated attacker can trigger an infinite recursion loop during parsing. This leads to unbounded memory allocation, causing the host Node.js application to crash via Memory Exhaustion (OOM). This vulnerability is fixed in 18.0.2.

PUBLISHED Reserved 2026-04-22 | Published 2026-04-24 | Updated 2026-04-24 | Assigner GitHub_M

HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-400: Uncontrolled Resource Consumption

CWE-674: Uncontrolled Recursion

CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')

Product status

>= 18.0.0, < 18.0.2

affected

References

github.com/...marked/security/advisories/GHSA-6v9c-7cg6-27q7 exploit

github.com/...marked/security/advisories/GHSA-6v9c-7cg6-27q7

cve.org (CVE-2026-41680)

nvd.nist.gov (CVE-2026-41680)

Download JSON