cvedb.io
CVE-2026-40890
HIGH · CVSS 7.5
EPSS exploitation probability: 0%
Published 2026-04-21T20:17:02.810 · Last modified 2026-06-17T10:45:50.027

Summary

The package `github.com/gomarkdown/markdown` is a Go library for parsing Markdown text and rendering as HTML. Processing a malformed input containing a < character that is not followed by a > character anywhere in the remaining text with a SmartypantsRenderer will lead to Out of Bounds read or a panic. This vulnerability is fixed with commit 759bbc3e32073c3bc4e25969c132fc520eda2778.

Affected products

gomarkdown — markdown

Does this affect you?

Add your gear to cvedb and we'll alert you only when gomarkdown ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.