CVE-2026-40890

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions github.com/gomarkdown/markdown (affected versions not specified)

Description Processing malformed input containing a < character that is not followed by a > character anywhere in the remaining text using a SmartypantsRenderer can lead to an Out of Bounds read or a panic. This occurs because the smartLeftAngle() function performs an out-of-bounds slice operation. If the slice length is lower than its capacity, an extra byte of data is read; if the length equals the capacity, it results in a panic, potentially leading to a Denial of Service on the processing service.

Recommendations Apply the fix provided in commit 759bbc3e32073c3bc4e25969c132fc520eda2778.

Exploit

Fix

Out of bounds Read

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-125

Related Identifiers

CLEANSTART-2026-FO93349

CVE-2026-40890

GHSA-77FJ-VX54-GVH7

Affected Products

Gomarkdown/Markdown

CVE-2026-40890

Weakness Enumeration

Related Identifiers

Affected Products

References · 23