Denial of Service Vulnerability in Marked Markdown Parser by Marked
CVE-2026-41680

8.7HIGH

Key Information:

Vendor: Markedjs
Status: Marked
Vendor: CVE Published:; 24 April 2026

What is CVE-2026-41680?

Marked, a popular markdown parser and compiler, has a Denial of Service vulnerability that affects versions 18.0.0 and 18.0.1. An unauthenticated attacker can exploit this vulnerability by supplying a specific sequence of 3 bytes—namely a tab, a vertical tab, and a newline character—causing an infinite recursion loop during the parsing process. This exploitation leads to unbounded memory allocation, inevitably resulting in the Node.js application crashing due to memory exhaustion. Users are advised to upgrade to version 18.0.2 or later to mitigate this risk.

Affected Version(s)

marked >= 18.0.0, < 18.0.2

References

https://github.com/markedjs/marked/security/advisories/GH...

x_refsource_CONFIRM

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 24, 2026
Vulnerability Reserved
Apr 22, 2026

CVE-2026-41680 Data

JSON

Markedjs

What is CVE-2026-41680?

Affected Version(s)

References

CVSS V4

Timeline