{"data":{"id":"fa262c6c-dd67-44f6-93fc-d9d2d9034daa","title":"GHSA-6v9c-7cg6-27q7: Marked Vulnerable to OOM Denial of Service via Infinite Recursion in marked Tokenizer","summary":"A critical vulnerability in marked@18.0.0 allows an unauthenticated attacker to crash any Node.js application using this library by sending just 3 special characters (a tab, vertical tab, and newline). These characters trick the parser into infinite recursion (a function calling itself endlessly), which allocates memory indefinitely until the application runs out of memory (OOM, or out-of-memory error) and crashes.","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-6v9c-7cg6-27q7","publishedAt":"2026-04-29T22:12:20.000Z","cveId":"CVE-2026-41680","cweIds":null,"cvssScore":null,"cvssSeverity":"high","severity":"high","attackType":["denial_of_service"],"issueType":"vulnerability","affectedPackages":["marked@>= 18.0.0, <= 18.0.1 (fixed: 18.0.2)"],"affectedVendors":["LangChain"],"affectedVendorsRaw":["marked"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.00066,"patchAvailable":true,"disclosureDate":"2026-04-29T22:12:20.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["availability"],"aiComponentTargeted":"framework","llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":null}}