CVE-2026-40890

CVE-2026-40890

Name

CVE-2026-40890

Description

The package `github.com/gomarkdown/markdown` is a Go library for parsing Markdown text and rendering as HTML. Processing a malformed input containing a < character that is not followed by a > character anywhere in the remaining text with a SmartypantsRenderer will lead to Out of Bounds read or a panic. This vulnerability is fixed with commit 759bbc3e32073c3bc4e25969c132fc520eda2778.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
security-advisories@github.com	https://github.com/gomarkdown/markdown/commit/759bbc3e32073c3bc4e25969c132fc520eda2778
security-advisories@github.com	https://github.com/gomarkdown/markdown/security/advisories/GHSA-77fj-vx54-gvh7

Type

URI

security-advisories@github.com

https://github.com/gomarkdown/markdown/commit/759bbc3e32073c3bc4e25969c132fc520eda2778

security-advisories@github.com

https://github.com/gomarkdown/markdown/security/advisories/GHSA-77fj-vx54-gvh7

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:gomarkdown:markdown::::::go::*`	markdown	>= None	< 2026-04-10

CPE URI

Source package

Min version

Max version

cpe:2.3:a:gomarkdown:markdown:*:*:*:*:*:go:*:*

markdown

>= None

< 2026-04-10

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
markdown	edge-community	1.0.1-r3	Kevin Daudt <kdaudt@alpinelinux.org>	possibly vulnerable
markdown	edge-community	1.0.1-r2	Kevin Daudt <kdaudt@alpinelinux.org>	possibly vulnerable
markdown	3.23-community	1.0.1-r3	Kevin Daudt <kdaudt@alpinelinux.org>	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

markdown

edge-community

1.0.1-r3

Kevin Daudt <kdaudt@alpinelinux.org>

possibly vulnerable

markdown

edge-community