github.com/gomarkdown/markdown
Moderate fix1 remedy
cpe:2.3:a:gomarkdown:markdown:*:*:*:*:go:*:*
Moderate fix1 remedy
- <= 37c66b8
Gomarkdown Markdown Out of Bounds Read Vulnerability in Smartypants Renderer
Vulnerability
Patched
A vulnerability in the Gomarkdown Markdown library, specifically in versions through 37c66b8, allows for an out-of-bounds read or panic when the SmartypantsRenderer processes malformed input. The issue arises when a '<' character is not followed by a '>' character anywhere in the remaining text, leading to improper slice handling. This vulnerability has been patched in version 759bbc3.
Impact
Exploitation of this vulnerability causes a panic due to a slice bounds error, leading to a denial-of-service condition on the processing service.
Reproduction
The vulnerability can be reproduced by using the SmartypantsRenderer to process a Markdown input that includes a '<' character not followed by a '>'. This can be done by creating a Go program that imports the Gomarkdown Markdown library and the 'bytes' package, then using the SmartypantsRenderer to process the malformed input. The out-of-bounds read or panic can be observed when the program is run.
Remediation
Users can upgrade to version 759bbc3 to address this vulnerability.
Added: Apr 21, 2026, 8:34 PM
Updated: Apr 21, 2026, 8:34 PM
Vulnerability Rating
Custom Algorithm
spread
4.2impact
3.1exploitability
6.0remediation
7.7relevance
6.4threat
6.4urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.