CVE-2026-41680: Denial of Service via Infinite Recursion in marked Lexer Vulnerability ID: CVE-2026-41680 CVSS Score: 7.5 Published: 2026-04-29 The marked Node.js Markdown parser versions 18.0.0 and 18.0.1 contain a critical vulnerability where a specific 3-byte sequence triggers infinite recursion. This flaw leads to rapid memory exhaustion and application denial of service. TL;DR Unauthenticated DoS in marked via a 3-byte payload (\t\v\n) causing infinite loops and Out-of-Memory crashes. ⚠️ Exploit Status: POC Technical Details CWE ID : CWE-835, CWE-400 Attack Vector : Network CVSS v3.1 : 7.5 (High) EPSS Score : 0.07% Impact : Denial of Service (OOM) Exploit Status : PoC Available Affected Systems Node.js applications running marked versions 18.0.0 through 18.0.1 Systems processing untrusted Markdown input via affected marked versions marked : 18.0.0 - 18.0.1 (Fixed in: 18.0.2 ) Code Analysis Commit: 58a52e8 Implemented progress guard in src/Lexer.ts to track srcLength and prevent infinite loops, plus…