CVE-2026-41680

NameCVE-2026-41680
DescriptionMarked is a markdown parser and compiler. From 18.0.0 to 18.0.1, a critical Denial of Service (DoS) vulnerability exists in marked. By providing a specific 3-byte input sequence a tab, a vertical tab, and a newline (\x09\x0b\n)—an unauthenticated attacker can trigger an infinite recursion loop during parsing. This leads to unbounded memory allocation, causing the host Node.js application to crash via Memory Exhaustion (OOM). This vulnerability is fixed in 18.0.2.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
node-marked (PTS)bullseye0.8.0+ds+repack-2fixed
bookworm4.2.3+ds+~4.0.7-2fixed
forky, sid, trixie4.2.3+ds+~4.0.7-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
node-markedsource(unstable)(not affected)

Notes

- node-marked <not-affected> (Only affects 18.0.0 and 18.0.1)
https://github.com/markedjs/marked/security/advisories/GHSA-6v9c-7cg6-27q7
Search for package or bug name: Reporting problems