marked — CVE history (npm)
marked
11 CVEs affect the marked npm package (highest CVSS 7.5). Latest disclosed: 2026-04-24. Full CVE history sourced from NVD.
Summary
- Package
marked(npm)- Total CVEs
11- Actively exploited (CISA KEV)
- 0
- Highest CVSS
7.5- Latest disclosed
- 2026-04-24
Recent CVEs (top 11)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-41680 | High | 7.5 | — | 2026-04-24 | Marked is a markdown parser and compiler. |
CVE-2018-25110 | High | 7.5 | — | 2025-05-23 | Marked prior to version 0.3.17 is vulnerable to a Regular Expression Denial of Service (ReDoS) attack due to catastrophic backtracking in several regular expressions used for parsing HTML tags and markdown links. |
CVE-2022-21681 | High | 7.5 | — | 2022-01-14 | Marked is a markdown parser and compiler. |
CVE-2022-21680 | High | 7.5 | — | 2022-01-14 | Marked is a markdown parser and compiler. |
CVE-2021-21306 | Medium | 5.3 | — | 2021-02-08 | Marked is an open-source markdown parser and compiler (npm package "marked"). |
CVE-2014-3743 | Medium | 6.1 | — | 2020-01-06 | Multiple cross-site scripting (XSS) vulnerabilities in the Marked module before 0.3.1 for Node.js allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) gfm codeblocks (language) or (2) javascript url's. |
CVE-2017-16114 | High | 7.5 | — | 2018-06-07 | The marked module is vulnerable to a regular expression denial of service. |
CVE-2016-10531 | Medium | 6.1 | — | 2018-05-31 | marked is an application that is meant to parse and compile markdown. |
CVE-2017-1000427 | Medium | 6.1 | — | 2018-01-02 | marked version 0.3.6 and earlier is vulnerable to an XSS attack in the data: URI parser. |
CVE-2015-8854 | High | 7.5 | — | 2017-01-23 | The marked package before 0.3.4 for Node.js allows attackers to cause a denial of service (CPU consumption) via unspecified vectors that trigger a "catastrophic backtracking issue for the em inline rule," aka a "regular expression denial o… |
CVE-2015-1370 | — | — | — | 2015-01-27 | Incomplete blacklist vulnerability in marked 0.3.2 and earlier for Node.js allows remote attackers to conduct cross-site scripting (XSS) attacks via a vbscript tag in a link. |
All-time worst (top 10 by CVSS)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-41680 | High | 7.5 | — | 2026-04-24 | Marked is a markdown parser and compiler. |
CVE-2018-25110 | High | 7.5 | — | 2025-05-23 | Marked prior to version 0.3.17 is vulnerable to a Regular Expression Denial of Service (ReDoS) attack due to catastrophic backtracking in several regular expressions used for parsing HTML tags and markdown links. |
CVE-2022-21681 | High | 7.5 | — | 2022-01-14 | Marked is a markdown parser and compiler. |
CVE-2022-21680 | High | 7.5 | — | 2022-01-14 | Marked is a markdown parser and compiler. |
CVE-2017-16114 | High | 7.5 | — | 2018-06-07 | The marked module is vulnerable to a regular expression denial of service. |
CVE-2015-8854 | High | 7.5 | — | 2017-01-23 | The marked package before 0.3.4 for Node.js allows attackers to cause a denial of service (CPU consumption) via unspecified vectors that trigger a "catastrophic backtracking issue for the em inline rule," aka a "regular expression denial o… |
CVE-2014-3743 | Medium | 6.1 | — | 2020-01-06 | Multiple cross-site scripting (XSS) vulnerabilities in the Marked module before 0.3.1 for Node.js allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) gfm codeblocks (language) or (2) javascript url's. |
CVE-2016-10531 | Medium | 6.1 | — | 2018-05-31 | marked is an application that is meant to parse and compile markdown. |
CVE-2017-1000427 | Medium | 6.1 | — | 2018-01-02 | marked version 0.3.6 and earlier is vulnerable to an XSS attack in the data: URI parser. |
CVE-2021-21306 | Medium | 5.3 | — | 2021-02-08 | Marked is an open-source markdown parser and compiler (npm package "marked"). |