{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41680", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-22T03:53:24.406Z", "datePublished": "2026-04-24T17:26:27.847Z", "dateUpdated": "2026-04-24T19:08:41.300Z"}, "containers": {"cna": {"title": "Marked: OOM Denial of Service via Infinite Recursion in marked Tokenizer", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-674", "lang": "en", "description": "CWE-674: Uncontrolled Recursion", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-835", "lang": "en", "description": "CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/markedjs/marked/security/advisories/GHSA-6v9c-7cg6-27q7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/markedjs/marked/security/advisories/GHSA-6v9c-7cg6-27q7"}], "affected": [{"vendor": "markedjs", "product": "marked", "versions": [{"version": ">= 18.0.0, < 18.0.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T17:26:27.847Z"}, "descriptions": [{"lang": "en", "value": "Marked is a markdown parser and compiler. From 18.0.0 to 18.0.1, a critical Denial of Service (DoS) vulnerability exists in marked. By providing a specific 3-byte input sequence a tab, a vertical tab, and a newline (\\x09\\x0b\\n)\u2014an unauthenticated attacker can trigger an infinite recursion loop during parsing. This leads to unbounded memory allocation, causing the host Node.js application to crash via Memory Exhaustion (OOM). This vulnerability is fixed in 18.0.2."}], "source": {"advisory": "GHSA-6v9c-7cg6-27q7", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/markedjs/marked/security/advisories/GHSA-6v9c-7cg6-27q7", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-24T19:07:49.403065Z", "id": "CVE-2026-41680", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T19:08:41.300Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41680", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-22T03:53:24.406Z", "datePublished": "2026-04-24T17:26:27.847Z", "dateUpdated": "2026-04-24T19:08:41.300Z"}, "containers": {"cna": {"title": "Marked: OOM Denial of Service via Infinite Recursion in marked Tokenizer", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-674", "lang": "en", "description": "CWE-674: Uncontrolled Recursion", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-835", "lang": "en", "description": "CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/markedjs/marked/security/advisories/GHSA-6v9c-7cg6-27q7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/markedjs/marked/security/advisories/GHSA-6v9c-7cg6-27q7"}], "affected": [{"vendor": "markedjs", "product": "marked", "versions": [{"version": ">= 18.0.0, < 18.0.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T17:26:27.847Z"}, "descriptions": [{"lang": "en", "value": "Marked is a markdown parser and compiler. From 18.0.0 to 18.0.1, a critical Denial of Service (DoS) vulnerability exists in marked. By providing a specific 3-byte input sequence a tab, a vertical tab, and a newline (\\x09\\x0b\\n)\u2014an unauthenticated attacker can trigger an infinite recursion loop during parsing. This leads to unbounded memory allocation, causing the host Node.js application to crash via Memory Exhaustion (OOM). This vulnerability is fixed in 18.0.2."}], "source": {"advisory": "GHSA-6v9c-7cg6-27q7", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41680", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-24T19:07:49.403065Z"}}}], "references": [{"url": "https://github.com/markedjs/marked/security/advisories/GHSA-6v9c-7cg6-27q7", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T19:08:04.324Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:marked_project:marked:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "DB353E43-35DC-4CBF-94F8-3060809E4DB4", "versionEndExcluding": "18.0.2", "versionStartIncluding": "18.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Marked is a markdown parser and compiler. From 18.0.0 to 18.0.1, a critical Denial of Service (DoS) vulnerability exists in marked. By providing a specific 3-byte input sequence a tab, a vertical tab, and a newline (\\x09\\x0b\\n)\u2014an unauthenticated attacker can trigger an infinite recursion loop during parsing. This leads to unbounded memory allocation, causing the host Node.js application to crash via Memory Exhaustion (OOM). This vulnerability is fixed in 18.0.2."}], "id": "CVE-2026-41680", "lastModified": "2026-04-28T19:37:46.943", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-24T18:16:29.567", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/markedjs/marked/security/advisories/GHSA-6v9c-7cg6-27q7"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/markedjs/marked/security/advisories/GHSA-6v9c-7cg6-27q7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-674"}, {"lang": "en", "value": "CWE-835"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "marked: Marked: Denial of Service via specific input sequence", "id": "2461603", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461603"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-835", "details": ["A flaw was found in marked, a markdown parser and compiler. An unauthenticated attacker can exploit this Denial of Service (DoS) vulnerability by providing a specific 3-byte input sequence (a tab, a vertical tab, and a newline). This input triggers an infinite recursion loop during parsing, leading to unbounded memory allocation and causing the host Node.js application to crash due to Memory Exhaustion (OOM)."], "mitigation": {"lang": "en:us", "value": "To mitigate this vulnerability, Red Hat products that utilize the 'marked' library should be configured to process markdown content only from trusted sources. If markdown rendering is not a critical function, consider disabling or restricting its use within the application's configuration to reduce exposure."}, "name": "CVE-2026-41680", "package_state": [{"cpe": "cpe:/a:redhat:migration_toolkit_virtualization:2", "fix_state": "Affected", "package_name": "migration-toolkit-virtualization/mtv-console-plugin-rhel9", "product_name": "Migration Toolkit for Virtualization"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Not affected", "package_name": "multicluster-engine/console-mce-rhel9", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:openshift_lightspeed", "fix_state": "Not affected", "package_name": "openshift-lightspeed/lightspeed-console-plugin-419-rhel9", "product_name": "OpenShift Lightspeed"}, {"cpe": "cpe:/a:redhat:openshift_lightspeed", "fix_state": "Not affected", "package_name": "openshift-lightspeed/lightspeed-console-plugin-rhel9", "product_name": "OpenShift Lightspeed"}, {"cpe": "cpe:/a:redhat:service_mesh:3", "fix_state": "Not affected", "package_name": "openshift-service-mesh/kiali-ossmc-rhel9", "product_name": "OpenShift Service Mesh 3"}, {"cpe": "cpe:/a:redhat:service_mesh:3", "fix_state": "Not affected", "package_name": "openshift-service-mesh/kiali-rhel9", "product_name": "OpenShift Service Mesh 3"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/console-rhel9", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Not affected", "package_name": "advanced-cluster-security/rhacs-main-rhel8", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "ansible-automation-platform-26/gateway-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "ansible-automation-platform-tech-preview/mcp-server-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "automation-gateway", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "automation-platform-ui", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:service_registry:2", "fix_state": "Affected", "package_name": "marked", "product_name": "Red Hat build of Apicurio Registry 2"}, {"cpe": "cpe:/a:redhat:apicurio_registry:3", "fix_state": "Affected", "package_name": "apicurio/apicurio-registry-ui-rhel8", "product_name": "Red Hat build of Apicurio Registry 3"}, {"cpe": "cpe:/a:redhat:apicurio_registry:3", "fix_state": "Affected", "package_name": "apicurio/apicurio-registry-ui-rhel9", "product_name": "Red Hat build of Apicurio Registry 3"}, {"cpe": "cpe:/a:redhat:apicurio_registry:3", "fix_state": "Affected", "package_name": "apicurio/apicurio-studio-ui-rhel8", "product_name": "Red Hat build of Apicurio Registry 3"}, {"cpe": "cpe:/a:redhat:podman_desktop:1", "fix_state": "Affected", "package_name": "rh-podman-desktop.git", "product_name": "Red Hat Build of Podman Desktop"}, {"cpe": "cpe:/a:redhat:podman_desktop:0", "fix_state": "Will not fix", "package_name": "rhdesktop/rh-podman-desktop-ext-bootc-rhel10", "product_name": "Red Hat Build of Podman Desktop - Tech Preview"}, {"cpe": "cpe:/a:redhat:ceph_storage:9", "fix_state": "Affected", "package_name": "rhceph/alloy-rhel10", "product_name": "Red Hat Ceph Storage 9"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Not affected", "package_name": "marked", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Not affected", "package_name": "rhdh/rhdh-hub-rhel9", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "cldr-emoji-annotation", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Will not fix", "package_name": "marked", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:hummingbird:1", "fix_state": "Not affected", "package_name": "ruff", "product_name": "Red Hat Hardened Images"}, {"cpe": "cpe:/a:redhat:hummingbird:1", "fix_state": "Not affected", "package_name": "yarnpkg", "product_name": "Red Hat Hardened Images"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Will not fix", "package_name": "marked", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "marked", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "marked", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-dashboard-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-mod-arch-gen-ai-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-mod-arch-maas-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-mod-arch-model-registry-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ose-console-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ose-monitoring-plugin-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Affected", "package_name": "openshift-gitops-1/argocd-rhel8", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Affected", "package_name": "openshift-gitops-1/argocd-rhel9", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Affected", "package_name": "satellite/iop-advisor-frontend-rhel9", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Affected", "package_name": "satellite/iop-vulnerability-frontend-rhel9", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:ansible_portal:2", "fix_state": "Affected", "package_name": "ansible-automation-platform/automation-portal", "product_name": "Self-service automation portal 2"}, {"cpe": "cpe:/a:redhat:amq_streams:2", "fix_state": "Affected", "package_name": "marked", "product_name": "streams for Apache Kafka 2"}, {"cpe": "cpe:/a:redhat:amq_streams:3", "fix_state": "Affected", "package_name": "marked", "product_name": "streams for Apache Kafka 3"}], "public_date": "2026-04-24T17:26:27Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-41680\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-41680\nhttps://github.com/markedjs/marked/security/advisories/GHSA-6v9c-7cg6-27q7"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[18.0.0,18.0.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "marked", "source": "cna", "vendor": "markedjs"}, "product": "marked", "vendor": "markedjs"}], "analysis": {"en": {"generated_at": "2026-04-28T05:58:29.342510+00:00", "value": {"mitigation_remediation": ["Upgrade the marked library to version 18.0.2 or later, which includes the fix for the infinite recursion bug.", "If an upgrade is not immediately possible, configure the parser to operate in safe mode or set a maximum recursion depth to prevent unbounded memory usage.", "Validate or sanitize user\u2011supplied Markdown before passing it to marked, ensuring that the specific three\u2011byte sequence is removed or escaped to thwart exploitation."], "summary": {"action": "Apply Patch", "impact": "Memory Exhaustion (OOM) leading to application crash"}, "threat_synthesis": {"affected_systems": "Marked versions from 18.0.0 up to and including 18.0.1 are impacted. These releases are used in Node.js applications that import the marked library for rendering Markdown. Any environment that passes untrusted content to marked may be affected.", "description_and_impact": "Marked, a popular Markdown parser, contains a flaw that triggers an infinite recursion during tokenization when it encounters a specific three\u2011byte sequence (0x09 0x0B 0x0A). The unbounded recursion causes the parser to allocate memory without limit, leading to a memory exhaustion condition that crashes the host Node.js process. The vulnerability is a resource exhaustion flaw (CWE\u2011400) amplified by an unprotected infinite loop (CWE\u2011835) and integer overflow issues (CWE\u2011674).", "risk_and_exploitability": "The CVSS score of 8.7 indicates a high\u2011severity denial of service weakness. The EPSS score of less than 1% suggests that active exploitation is considered unlikely at present, and the vulnerability is not listed in the CISA KEV catalog. An unauthenticated attacker can exploit the issue by feeding the target markdown parser the malicious three\u2011byte sequence; the attack does not require privileged access or user interaction beyond the ability to supply input to the parser."}}}}, "created": "2026-04-27T20:20:52.504114+00:00", "updated": "2026-04-28T06:00:09.624833+00:00", "vendors": ["markedjs", "markedjs$PRODUCT$marked"]}