High severity7.5NVD Advisory· Published Apr 21, 2026· Updated Apr 27, 2026
CVE-2026-40890
CVE-2026-40890
Description
The package github.com/gomarkdown/markdown is a Go library for parsing Markdown text and rendering as HTML. Processing a malformed input containing a < character that is not followed by a > character anywhere in the remaining text with a SmartypantsRenderer will lead to Out of Bounds read or a panic. This vulnerability is fixed with commit 759bbc3e32073c3bc4e25969c132fc520eda2778.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/gomarkdown/markdownGo | < 0.0.0-20260411013819-759bbc3e3207 | 0.0.0-20260411013819-759bbc3e3207 |
Affected products
2cpe:2.3:a:gomarkdown:markdown:*:*:*:*:*:go:*:*+ 1 more
- cpe:2.3:a:gomarkdown:markdown:*:*:*:*:*:go:*:*range: <2026-04-10
- (no CPE)
Patches
1759bbc3e3207fix oob read when no > is found
1 file changed · +4 −1
html/smartypants.go+4 −1 modified@@ -371,7 +371,10 @@ func (r *SPRenderer) smartLeftAngle(out *bytes.Buffer, previousChar byte, text [ i++ } - out.Write(text[:i+1]) + if i == len(text) { // No > found until the end of the text + return i + } + out.Write(text[:i+1]) // include the '>' return i }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/gomarkdown/markdown/commit/759bbc3e32073c3bc4e25969c132fc520eda2778nvdPatchWEB
- github.com/gomarkdown/markdown/security/advisories/GHSA-77fj-vx54-gvh7nvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-77fj-vx54-gvh7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-40890ghsaADVISORY
News mentions
12- LatAm Vibe Hackers Generate Custom Hacking Tools on the FlyDark Reading · May 13, 2026
- Patch Tuesday - May 2026Rapid7 Blog · May 13, 2026
- Claude Security enters public beta with Opus 4.7 vulnerability scanning and patchingHelp Net Security · May 4, 2026
- Anthropic Rolls Out Claude Security for AI Vulnerability ScanningInfosecurity Magazine · May 1, 2026
- AI-powered honeypots: Turning the tables on malicious AI agentsCisco Talos Intelligence · Apr 29, 2026
- Bad Memories Still Haunt AI AgentsDark Reading · Apr 23, 2026
- The AI engineering stack we built internally — on the platform we shipCloudflare Blog · Apr 20, 2026
- Orchestrating AI Code Review at scaleCloudflare Blog · Apr 20, 2026
- Introducing the Agent Readiness score. Is your site agent-ready?Cloudflare Blog · Apr 17, 2026
- AI Threat Landscape Digest January-February 2026Check Point Research · Mar 29, 2026
- Researchers Discover Major Security Gaps in LLM GuardrailsInfosecurity Magazine · Mar 11, 2026
- PromptSpy ushers in the era of Android threats using GenAIESET WeLiveSecurity · Feb 19, 2026