Denial-of-Service Vulnerability in markdown-it Markdown Parser
CVE-2026-48988

5.3MEDIUM

Key Information:

Vendor: Markdown-it
Status: Markdown-it
Vendor: CVE Published:; 17 June 2026

🔔 Create Markdown-it Vulnerability Alert

What is CVE-2026-48988?

The markdown-it version 14.1.1 and earlier includes a vulnerability that may lead to denial-of-service (DoS) when the typographer option is enabled. This is caused by the inefficient string processing during the smartquotes handling, where repeated modifications of strings increasingly consume CPU resources. This issue can be particularly impactful for applications that handle markdown content with extensive quotation usage, as it allows attackers to potentially disrupt service availability. It is important to note that although the typographer setting is disabled by default, many production applications enable it for enhanced typography features, making this vulnerability a concern for those environments. An upgrade to version 14.2.0 is recommended to mitigate this risk.

Affected Version(s)

markdown-it < 14.2.0

References

https://github.com/markdown-it/markdown-it/security/advis...

x_refsource_CONFIRM

https://github.com/markdown-it/markdown-it/commit/9ce2087...

x_refsource_MISC

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 17, 2026
Vulnerability Reserved
May 26, 2026

CVE-2026-48988 Data

JSON