Fluid Attacks Database

Description

The package github.com/gomarkdown/markdown is a Go library for parsing Markdown text and rendering as HTML. Processing a malformed input containing a < character that is not followed by a > character anywhere in the remaining text with a SmartypantsRenderer will lead to Out of Bounds read or a panic. This vulnerability is fixed with commit 759bbc3e32073c3bc4e25969c132fc520eda2778.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	golang-github-gomarkdown-markdown	=0.0~git20220731.dcdaee8-2 \|\| =0.0~git20231115.a660076-1	-
go	github.com/gomarkdown/markdown	>=0 <0.0.0-20260411013819-759bbc3e3207	0.0.0-20260411013819-759bbc3e3207
debian 13	golang-github-gomarkdown-markdown	=0.0~git20231115.a660076-1	-
debian 14	golang-github-gomarkdown-markdown	=0.0~git20231115.a660076-1	-

Aliases

1. CVE-2026-408902. NVD-2026-408903. OSV-DEBIAN-2026-408904. OSV-2026-408905. GHSA-77fj-vx54-gvh76. GCVE-2026-408907. SECURITY-TRACKER-CVE-2026-40890

References

1. https://github.com/gomarkdown/markdown/security/advisories/GHSA-77fj-vx54-gvh72. https://github.com/gomarkdown/markdown/commit/759bbc3e32073c3bc4e25969c132fc520eda2778