High severity7.5NVD Advisory· Published Apr 24, 2026· Updated Apr 28, 2026

CVE-2026-41680

Description

Marked is a markdown parser and compiler. From 18.0.0 to 18.0.1, a critical Denial of Service (DoS) vulnerability exists in marked. By providing a specific 3-byte input sequence a tab, a vertical tab, and a newline (\x09\x0b\n)—an unauthenticated attacker can trigger an infinite recursion loop during parsing. This leads to unbounded memory allocation, causing the host Node.js application to crash via Memory Exhaustion (OOM). This vulnerability is fixed in 18.0.2.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
markednpm	>= 18.0.0, < 18.0.2	18.0.2

Affected products

Marked Project/Marked
cpe:2.3:a:marked_project:marked:*:*:*:*:*:node.js:*:*
Range: >=18.0.0,<18.0.2

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/markedjs/marked/security/advisories/GHSA-6v9c-7cg6-27q7nvdExploitVendor AdvisoryWEB
github.com/advisories/GHSA-6v9c-7cg6-27q7ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-41680ghsaADVISORY

News mentions

Bring out your dead: How agentic AI for cybersecurity helps you rid your cloud of forgotten, risky assets
Tenable Blog · May 14, 2026
May 2026 Patch Tuesday: no zero-days but plenty to fix
Malwarebytes Labs · May 13, 2026
Microsoft Patch Tuesday for May 2026 — Snort rules and prominent vulnerabilities
Cisco Talos Intelligence · May 12, 2026
Microsoft May 2026 Patch Tuesday: Many fixes, but no zero-days
Help Net Security · May 12, 2026
Apple, Google drag cross-platform texting into the encrypted age
The Register Security · May 12, 2026
The State of Ransomware – Q1 2026
Check Point Research · May 11, 2026
When DNSSEC goes wrong: how we responded to the .de TLD outage
Cloudflare Blog · May 6, 2026
The 2026 World Cup scam economy is already running before the first whistle
Malwarebytes Labs · May 4, 2026
Microsoft's patch for a 0-day exploited by Russian spies fell short. Another Windows flaw is under attack
The Register Security · Apr 29, 2026
Shutdowns, power outages, and conflict: a review of Q1 2026 Internet disruptions
Cloudflare Blog · Apr 28, 2026
Apple fixes iOS bug that kept deleted notifications, including chat previews
Malwarebytes Labs · Apr 23, 2026
Making Rust Workers reliable: panic and abort recovery in wasm‑bindgen
Cloudflare Blog · Apr 22, 2026
IR Trends Q1 2026: Phishing reemerges as top initial access vector, as attacks targeting public administration persist
Cisco Talos Intelligence · Apr 22, 2026
Orchestrating AI Code Review at scale
Cloudflare Blog · Apr 20, 2026
Microsoft Patch Tuesday for April 2026 - Snort Rule and Prominent Vulnerabilities
Cisco Talos Intelligence · Apr 14, 2026
AI Threat Landscape Digest January-February 2026
Check Point Research · Mar 29, 2026
Siemens SIMATIC
CISA Alerts

Severity

HighCVSS v3.1

7.5/ 10

CVSS v48.7

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: None
User interaction: None
Scope: Unchanged
Confidentiality: None
Integrity: None
Availability: High

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

Probability of exploitation in the next 30 days.

0.09%

VYPR risk score

Composite of severity, exploitation, and reach.

0.49medium

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-400
Uncontrolled Resource Consumption
CWE-674
Uncontrolled Recursion
CWE-835
Loop with Unreachable Exit Condition ('Infinite Loop')

CVE ID

CVE-2026-41680

Source code

github.com/markedjs/marked

Credits

M
MaanVader
reporter · ghsa