Out of Bounds Read in Go Markdown Library Affects Markdown Processing
CVE-2026-40890

7.5HIGH

Key Information:

Vendor: Gomarkdown
Status: Markdown
Vendor: CVE Published:; 21 April 2026

What is CVE-2026-40890?

A vulnerability exists in the Go library for parsing and rendering Markdown text that could be exploited by processing malformed input. Specifically, if input contains a < character that is not accompanied by a > character within the remaining text, it may lead to an Out of Bounds read or cause a panic when using the SmartypantsRenderer. The issue has been addressed in recent updates, ensuring that users are protected against potential disruptions to Markdown processing.

Affected Version(s)

markdown < 759bbc3e32073c3bc4e25969c132fc520eda2778

References

https://github.com/gomarkdown/markdown/security/advisorie...

x_refsource_CONFIRM

https://github.com/gomarkdown/markdown/commit/759bbc3e320...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Apr 15, 2026

CVE-2026-40890 Data

JSON

Gomarkdown

What is CVE-2026-40890?

Affected Version(s)

References

CVSS V3.1

Timeline