CVE-2026-41680: Marked is a markdown parser and compiler. From 18.0.0 to 18.0.1, a critical Denial of Service (DoS) vulnerability exists in marked. By providing a specific…

high8.7CVSS 4.0

AVNACLATNPRNUINVCNVINVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX

Marked is a markdown parser and compiler. From 18.0.0 to 18.0.1, a critical Denial of Service (DoS) vulnerability exists in marked. By providing a specific 3-byte input sequence a tab, a vertical tab, and a newline (\x09\x0b\n)—an unauthenticated attacker can trigger an infinite recursion loop during parsing. This leads to unbounded memory allocation, causing the host Node.js application to crash via Memory Exhaustion (OOM). This vulnerability is fixed in 18.0.2.

Affected

32 ranges· showing 25

Vendor	Product	Version range	Fixed in
advanced-cluster-security	rhacs-main-rhel8	—	—
ansible-automation-platform-26	gateway-rhel9	—	—
ansible-automation-platform-tech-preview	mcp-server-rhel9	—	—
ansible-automation-platform	automation-portal	—	—
apicurio	apicurio-registry-ui-rhel8	—	—
apicurio	apicurio-registry-ui-rhel9	—	—
apicurio	apicurio-studio-ui-rhel8	—	—
grafana	grafana	—	—
marked_project	marked	—	—
marked_project	marked	>= 18.0.0 < 18.0.2	18.0.2
marked_project	marked	>= 18.0.0 < 18.0.2	18.0.2
markedjs	marked	—	—
migration-toolkit-virtualization	mtv-console-plugin-rhel9	—	—
multicluster-engine	console-mce-rhel9	—	—
openshift-gitops-1	argocd-rhel8	—	—
openshift-gitops-1	argocd-rhel9	—	—
openshift-lightspeed	lightspeed-console-plugin-419-rhel9	—	—
openshift-lightspeed	lightspeed-console-plugin-rhel9	—	—
openshift-service-mesh	kiali-ossmc-rhel9	—	—
openshift-service-mesh	kiali-rhel9	—	—
openshift4	ose-console-rhel9	—	—
openshift4	ose-monitoring-plugin-rhel9	—	—
rhacm2	console-rhel9	—	—
rhceph	alloy-rhel10	—	—
rhdesktop	rh-podman-desktop-ext-bootc-rhel10	—	—