Lucene search
K
Marked ProjectMarked

11 matches found

CVE
CVE
added 2022/01/14 12:0 a.m.201 views

CVE-2022-21680

CVE-2022-21680 affects the Node.js Marked markdown parser. Prior to 4.0.10, regex block.def can cause catastrophic backtracking leading to ReDoS when processing untrusted markdown; patch is 4.0.10. Workarounds include running Marked in a worker thread with a reasonable time limit or avoiding untr...

7.5CVSS7.2AI score0.02828EPSS
CVE
CVE
added 2022/01/14 12:0 a.m.174 views

CVE-2022-21681

CVE-2022-21681 affects the Marked markdown parser. The vulnerability is caused by the regular expression inline.reflinkSearch, which may cause catastrophic backtracking and a denial of service when processing untrusted Markdown. Affected versions are prior to 4.0.10. The issue is patched in 4.0.1...

7.5CVSS7.2AI score0.02743EPSS
CVE
CVE
added 2018/05/31 8:0 p.m.115 views

CVE-2016-10531

CVE-2016-10531 affects the marked library (0.3.5 and earlier). The issue arises when parsing HTML entities: &#xNN... leaves trailing text, allowing bypass of sanitize: true and injection of a javascript: URL. This enables cross-site scripting via markdown-rendered links. Affected: marked where li...

6.1CVSS6.2AI score0.01463EPSS
CVE
CVE
added 2020/01/06 7:41 p.m.101 views

CVE-2014-3743

CVE-2014-3743 affects the Node.js Marked module (before 0.3.1). The vulnerability is due to cross-site scripting in two vectors: gfm codeblocks (language) and javascript: URLs, allowing remote attackers to inject arbitrary script/HTML. The OSV and NVD records corroborate XSS in Marked prior to 0....

6.1CVSS5.9AI score0.01715EPSS
CVE
CVE
added 2021/02/08 9:20 p.m.93 views

CVE-2021-21306

Marked (npm package) contains a Regular Expression Denial of Service vulnerability in versions 1.1.1 up to before 2.0.0. The root cause is a REDoS condition when processing user-generated code through marked. Impact is denial of service; upgrade to version 2.0.0 or later to fix. If exploiting det...

7.5CVSS6.2AI score0.02462EPSS
CVE
CVE
added 2018/01/02 11:0 p.m.81 views

CVE-2017-1000427

CVE-2017-1000427: Marked up to version 0.3.6 and earlier is vulnerable to cross-site scripting via the data: URI parser. This is an XSS in user-supplied input that can execute script in the victim’s browser when a crafted URL is clicked. The NVD shows CVSS v3.0 base score 6.1 (network, low attack...

6.1CVSS5.9AI score0.01512EPSS
CVE
CVE
added 2015/01/27 5:0 p.m.77 views

CVE-2015-1370

CVE-2015-1370 affects the marked library (versions 0.3.2 and earlier) used with Node.js. The root cause is an incomplete blacklist that allows cross-site scripting via a vbscript tag in a link, enabling remote XSS. Public references (GHSA, OSV, NVD, CNVD) corroborate the issue and advise upgradin...

4.3CVSS5.8AI score0.02051EPSS
CVE
CVE
added 2017/01/23 9:0 p.m.76 views

CVE-2015-8854

CVE-2015-8854 details (concrete): The vulnerability affects the Node.js marked module prior to 0.3.4. It enables a denial of service (CPU exhaustion) via unspecified vectors that trigger a catastrophic backtracking issue in the Em inline rule, i.e., a ReDoS. Affected products in public docs inclu...

7.8CVSS7.1AI score0.04298EPSS
CVE
CVE
added 2018/06/07 2:0 a.m.72 views

CVE-2017-16114

CVE-2017-16114 affects the marked Markdown parser module. Vulnerable behavior is a regular expression denial of service when processing untrusted input; measurements report about 1,000 characters blocking the event loop for around 6 seconds. Affected environments are those that install the marked...

7.5CVSS7.3AI score0.01758EPSS
CVE
CVE
added 2025/05/23 2:53 p.m.56 views

CVE-2018-25110

CVE-2018-25110 affects the markedjs/marked parser. The vulnerability stems from catastrophic backtracking in several regular expressions used for parsing HTML tags and markdown links, allowing a Regular Expression Denial of Service (ReDoS) via crafted markdown input (e.g., deeply nested or repeti...

7.5CVSS6.3AI score0.00493EPSS
CVE
CVE
added 2026/04/24 5:26 p.m.14 views

CVE-2026-41680

CVE-2026-41680 affects the Marked markdown parser/compiler. From versions 18.0.0 through 18.0.1, an unauthenticated attacker can trigger an infinite recursion in the tokenizer by sending the 3-byte sequence: tab, vertical tab, newline (\x09\x0b\n). This leads to unbounded memory allocation and ca...

8.7CVSS5.5AI score0.00342EPSS