PT-2026-35040 · Npm · Marked

Maanvader

Published

2026-04-24

Updated

2026-04-30

CVE-2026-41680

CVSS v4.0

8.7

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Marked versions 18.0.0 through 18.0.1

Description A Denial of Service (DoS) issue exists in the markdown parser and compiler. An unauthenticated attacker can trigger an infinite recursion loop during parsing by providing a specific 3-byte input sequence consisting of a tab, a vertical tab, and a newline (x09x0b ). This results in unbounded memory allocation, leading to memory exhaustion (OOM) and causing the host Node.js application to crash.

Recommendations Update to version 18.0.2.

Exploit

Fix

DoS

Uncontrolled Recursion

Resource Exhaustion

Infinite Loop

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-674CWE-400CWE-835

Related Identifiers

CVE-2026-41680

GHSA-6V9C-7CG6-27Q7

Affected Products

Marked

PT-2026-35040 · Npm · Marked

CVE-2026-41680

Weakness Enumeration

Related Identifiers

Affected Products

References · 6