CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

CNNVD•added 2026/05/15 12:0 a.m.•3 views

Open WebUI 跨站脚本漏洞

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted WebUI that is open source. Versions of Open WebUI prior to 0.9.0 had a cross-site scripting vulnerability. This vulnerability stemmed from the AccountPending.svelte component using marked.parse to render...

4.8CVSS5.7AI score0.00033EPSS

OSV•added 2026/05/14 8:27 p.m.•2 views

GHSA-CQP4-QQVG-3787 Open WebUI has Stored XSS in Banner Component via Improper Sanitization Order

Summary A Stored Cross-Site Scripting XSS vulnerability exists in the Banner component due to an improper sanitization order specifically, DOMPurify is executed before the marked library. This vulnerability allows a compromised or malicious administrator to plant a malicious payload in the global...

8.1CVSS5.8AI score0.00011EPSS

Exploits1References4

OSV•added 2026/05/05 6:28 p.m.•1 views

GHSA-G485-8J3V-P6X8 @tdurieux/anonymous_github Vulnerable to XSS via Unsanitized GitHub Repository Content Rendering in Anonymous GitHub Origin

Summary Anonymous GitHub fetches repository content e.g., markdown files from GitHub's API and renders it without sanitization. On the client side, markdown is parsed with marked with sanitize: false and injected into the DOM via $sce.trustAsHtml + ng-bind-html, bypassing AngularJS's built-in XSS...

8.1CVSS6AI score

Exploits0References2

RedhatCVE•added 2026/05/05 8:58 a.m.•6 views

CVE-2026-41680

A flaw was found in marked, a markdown parser and compiler. An unauthenticated attacker can exploit this Denial of Service DoS vulnerability by providing a specific 3-byte input sequence a tab, a vertical tab, and a newline. This input triggers an infinite recursion loop during parsing, leading t...

Tenable Nessus•added 2026/05/05 12:0 a.m.•3 views

Exploits1References4

Linux Distros Unpatched Vulnerability : CVE-2026-41680

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Marked is a markdown parser and compiler. From 18.0.0 to 18.0.1, a critical Denial of Service DoS vulnerability exists in marked. By providing a specific 3-byte...

IBM Security Bulletins•added 2026/05/04 2:8 p.m.•5 views

Security Bulletin: There is a vulnerability in marked-14.0.0.tgz used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-****-*****)

Summary There is a vulnerability in marked-14.0.0.tgz used by IBM Maximo Manage application in IBM Maximo Application Suite. Vulnerability Details CVEID:CVE-2026-41680 DESCRIPTION: Marked is a markdown parser and compiler. From 18.0.0 to 18.0.1, a critical Denial of Service DoS vulnerability exis...

Exploits1Affected Software1

AstraLinux•added 2026/05/03 11:59 p.m.•2 views

Astra Linux - уязвимость в node-marked

Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression inline.reflinkSearch might cause catastrophic backtracking for certain strings, leading to a denial of service DoS attack. Any user who runs untrusted markdown using a vulnerable version of Marked, without...

7.5CVSS6.6AI score0.00695EPSS

OSV•added 2026/04/29 10:12 p.m.•1 views

GHSA-6V9C-7CG6-27Q7 Marked Vulnerable to OOM Denial of Service via Infinite Recursion in marked Tokenizer

Summary A critical Denial of Service DoS vulnerability exists in [email protected]. By providing a specific 3-byte input sequence a tab, a vertical tab, and a newline \x09\x0b\n—an unauthenticated attacker can trigger an infinite recursion loop during parsing. This leads to unbounded memory allocatio...

Patchstack•added 2026/04/29 10:12 p.m.•2 views

Exploits1References3

NPM: Marked Vulnerable to OOM Denial of Service via Infinite Recursion in marked Tokenizer

NPM: Marked Vulnerable to OOM Denial of Service via Infinite Recursion in marked Tokenizer vulnerability discovered by ? in WordPress Npm marked versions = 18.0.0, = 18.0.1...

Exploits1References3Affected Software1

Github Security Blog•added 2026/04/29 10:12 p.m.•3 views

Marked Vulnerable to OOM Denial of Service via Infinite Recursion in marked Tokenizer

8.7CVSS5.7AI score0.00095EPSS

Exploits1References3Affected Software1

Snyk•added 2026/04/24 6:21 p.m.•2 views

Allocation of Resources Without Limits or Throttling

Overview marked is a low-level compiler for parsing markdown without caching or blocking for long periods of time. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the Tokenizer. An attacker can cause the application to exhaust system...

8.7CVSS5.7AI score0.00095EPSS

Snyk•added 2026/04/24 6:21 p.m.•1 views

Allocation of Resources Without Limits or Throttling

Overview org.webjars.npm:marked is a low-level compiler for parsing markdown without caching or blocking for long periods of time. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the Tokenizer. An attacker can cause the application to...

8.7CVSS5.7AI score0.00095EPSS

NVD•added 2026/04/24 6:16 p.m.•1 views

CVE-2026-41680

Marked is a markdown parser and compiler. From 18.0.0 to 18.0.1, a critical Denial of Service DoS vulnerability exists in marked. By providing a specific 3-byte input sequence a tab, a vertical tab, and a newline \x09\x0b\n—an unauthenticated attacker can trigger an infinite recursion loop during...

8.7CVSS0.00095EPSS

UbuntuCve•added 2026/04/24 6:16 p.m.•1 views

CVE-2026-41680

EUVD•added 2026/04/24 5:26 p.m.•1 views

EUVD-2026-25585

8.7CVSS5.5AI score0.00095EPSS

ATTACKERKB•added 2026/04/24 5:26 p.m.•2 views

CVE-2026-41680

8.7CVSS5.5AI score0.00095EPSS

Exploits1References2Affected Software1

Vulnrichment•added 2026/04/24 5:26 p.m.•0 views

CVE-2026-41680 Marked: OOM Denial of Service via Infinite Recursion in marked Tokenizer

8.7CVSS5.4AI score0.00095EPSS