Marked Vulnerable to OOM Denial of Service via Infinite Recursion in marked Tokenizer

🗓️ 29 Apr 2026 22:12:20Reported by GitHub Advisory DatabaseType

Critical DoS in marked 18.0.0 caused by a tab and newline sequence triggering infinite recursion and memory exhaustion.

Reporter	Title	Published	Views	Family All 24
IBM Security Bulletins	Security Bulletin: Security Vulnerabilities affect IBM Voice Gateway	20 May 202613:41	–	ibm
IBM Security Bulletins	Security Bulletin: There is a vulnerability in marked-14.0.0.tgz used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-**-***)	4 May 202614:08	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Maximo Application Suite uses multiple third party dependencies which is vulnerable to multiple CVEs.	3 Jun 202607:18	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in IBM Bob	26 May 202614:04	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple security vulnerabilities are addressed with IBM Process Mining Interim Fix for May 2026	29 May 202610:53	–	ibm
ATTACKERKB	CVE-2026-41680	24 Apr 202617:26	–	attackerkb
Circl	CVE-2026-41680	23 Apr 202601:54	–	circl
CNNVD	marked 资源管理错误漏洞	24 Apr 202600:00	–	cnnvd
CVE	CVE-2026-41680	24 Apr 202617:26	–	cve
Cvelist	CVE-2026-41680 Marked: OOM Denial of Service via Infinite Recursion in marked Tokenizer	24 Apr 202617:26	–	cvelist

Vulners

Node

marked_project markedRange18.0.0–18.0.1npm

Source	Link
github	www.github.com/markedjs/marked/security/advisories/GHSA-6v9c-7cg6-27q7
nvd	www.nvd.nist.gov/vuln/detail/CVE-2026-41680
github	www.github.com/advisories/GHSA-6v9c-7cg6-27q7

29 Apr 2026 22:12Current

5.7Medium risk

Vulners AI Score5.7

CVSS 3.17.5

CVSS 48.7

EPSS0.00129

SSVC