High severity7.5NVD Advisory· Published Apr 21, 2026· Updated Apr 27, 2026
CVE-2026-40890
CVE-2026-40890
Description
The package github.com/gomarkdown/markdown is a Go library for parsing Markdown text and rendering as HTML. Processing a malformed input containing a < character that is not followed by a > character anywhere in the remaining text with a SmartypantsRenderer will lead to Out of Bounds read or a panic. This vulnerability is fixed with commit 759bbc3e32073c3bc4e25969c132fc520eda2778.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/gomarkdown/markdownGo | < 0.0.0-20260411013819-759bbc3e3207 | 0.0.0-20260411013819-759bbc3e3207 |
Affected products
16- osv-coords15 versionspkg:apk/chainguard/fqpkg:apk/chainguard/gotenbergpkg:apk/chainguard/kube-metrics-adapterpkg:apk/chainguard/kube-metrics-adapter-fipspkg:apk/chainguard/snyk-clipkg:apk/chainguard/temporalpkg:apk/chainguard/temporal-fipspkg:apk/chainguard/temporal-ui-serverpkg:apk/chainguard/temporal-ui-server-fipspkg:apk/wolfi/fqpkg:apk/wolfi/kube-metrics-adapterpkg:apk/wolfi/snyk-clipkg:apk/wolfi/temporalpkg:apk/wolfi/temporal-ui-serverpkg:golang/github.com/gomarkdown/markdown
< 0.17.0-r4+ 14 more
- (no CPE)range: < 0.17.0-r4
- (no CPE)range: < 8.30.1-r2
- (no CPE)range: < 0.2.8-r8
- (no CPE)range: < 0.2.8-r6
- (no CPE)range: < 1.1304.0-r1
- (no CPE)range: < 1.7.0-r1
- (no CPE)range: < 1.6.2-r5
- (no CPE)range: < 2.48.3-r1
- (no CPE)range: < 2.48.3-r1
- (no CPE)range: < 0.17.0-r4
- (no CPE)range: < 0.2.8-r8
- (no CPE)range: < 1.1304.0-r1
- (no CPE)range: < 1.7.0-r1
- (no CPE)range: < 2.48.3-r1
- (no CPE)range: < 0.0.0-20260411013819-759bbc3e3207
Patches
Vulnerability mechanics
References
4- github.com/gomarkdown/markdown/commit/759bbc3e32073c3bc4e25969c132fc520eda2778nvdPatchWEB
- github.com/gomarkdown/markdown/security/advisories/GHSA-77fj-vx54-gvh7nvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-77fj-vx54-gvh7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-40890ghsaADVISORY
News mentions
0No linked articles in our index yet.