CVE-2026-2327: Medium severity npm/markdown-it vulnerability

Published Feb 12, 2026
·
Updated

Versions of the package markdown-it from 13.0.0 and before 14.1.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the use of the regex /\+$/ in the linkify function. An attacker can supply a long sequence of characters followed by a non-matching character, which triggers excessive backtracking and may lead to a denial-of-service condition.

Affected Software

5 affected componentsFixes available
npm/markdown-it<14.1.1
npm/markdown-it>=13.0.0<14.1.1
14.1.1
Markdown-it Project Markdown-it>=13.0.0<14.1.1
IBM MQ Operator<=SC2: v3.2.0 - v3.2.23 CD:  v3.3.0, v3.4.0, v3.4.1, v3.5.0, v3.5.1 - v3.5.3, v3.6.0 - v3.6.4, v3.7.0 - v3.7.2, v3.8.0, v3.8.1, v3.9.0, v3.9.1 LTS: v2.0.0 - 2.0.29
IBM supplied MQ Advanced container images<=SC2: 9.4.0.6-r1, 9.4.0.6-r2, 9.4.0.7-r1, 9.4.0.10-r1, 9.4.0.10-r2, 9.4.0.11-r1, 9.4.0.11-r2, 9.4.0.11-r3, 9.4.0.12-r1, 9.4.0.15-r1 - 9.4.0.15-r4, 9.4.0.16-r1, 9.4.0.16-r2, 9.4.0.17-r1, 9.4.0.17-r2, 9.4.0.20-r1CD: 9.4.1.0-r1, 9.4.1.0-r2, 9.4.1.1-r1, 9.4.2.0-r1, 9.4.2.0-r2, 9.4.2.1-r1, 9.4.2.1-r2, 9.4.3.0-r1, 9.4.3.0-r2, 9.4.3.1-r1 - 9.4.3.1-r3, 9.4.4.0-r1 - 9.4.4.0-r4, 9.4.4.1-r1, 9.4.5.0-r1, 9.4.5.0-r2LTS: 9.3.0.0-r1, 9.3.0.0-r2, 9.3.0.0-r3, 9.3.0.1-r1, 9.3.0.1-r2, 9.3.0.1-r3, 9.3.0.1-r4, 9.3.0.3-r1, 9.3.0.4-r1, 9.3.0.4-r2, 9.3.0.5-r1, 9.3.0.5-r2, 9.3.0.5-r3, 9.3.0.6-r1, 9.3.0.10-r1, 9.3.0.10-r2, 9.3.0.11-r1,9.3.0.11-r2, 9.3.0.15-r1, 9.3.0.16-r1, 9.3.0.16-r2, 9.3.0.17-r1, 9.3.0.17-r2, 9.3.0.17-r3, 9.3.0.20-r1, 9.3.0.20-r2, 9.3.0.21-r1, 9.3.0.21-r2, 9.3.0.21-r3, 9.3.0.25-r1, 9.4.0.0-r1, 9.4.0.0-r2, 9.4.0.0-r3, 9.4.0.5-r1, 9.4.0.5-r2

Remediation

Patch Available

https://github.com/markdown-it/markdown-it/commit/4b4bbcae5e0990a5b172378e507b33a59012ed26

Event History

Feb 12, 2026
CVE Published
via MITRE·05:00 AM
Data Sourced
via MITRE·05:00 AM
DescriptionSeverityWeakness
Data Sourced
via NVD·06:16 AM
DescriptionSeverityWeakness
Data Sourced
via NVD·06:16 AM
RemedyAffected Software
Advisory Published
via GitHub·06:30 AM
Data Sourced
via GitHub·06:30 AM
DescriptionSeverityWeaknessAffected Software
May 15, 2026
Data Sourced
via IBM·12:00 AM
DescriptionAffected Software
Jul 2, 58372
Event
via NVD·08:56 AM

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2026-2327?

CVE-2026-2327 is classified as a Regular Expression Denial of Service (ReDoS) vulnerability.

2

How do I fix CVE-2026-2327?

To fix CVE-2026-2327, upgrade the markdown-it package to version 14.1.1 or later.

3

Which versions are affected by CVE-2026-2327?

CVE-2026-2327 affects markdown-it versions from 13.0.0 up to, but not including, 14.1.1.

4

What kind of attack can exploit CVE-2026-2327?

CVE-2026-2327 can be exploited through a Regular Expression Denial of Service (ReDoS) attack by supplying a specific pattern of characters.

5

Where does the vulnerability CVE-2026-2327 occur?

CVE-2026-2327 occurs in the linkify function of the markdown-it package.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203