PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-59887 markdown-it CVE debrief

CVE-2026-59887 is a denial of service vulnerability in the linkify-it library. The vulnerability is caused by the mailto: schema validator used by .test() and .match() which can be invoked at every mailto: occurrence and scan the remaining input, leading to O(n^2) CPU consumption on crafted user text. This issue is fixed in version 5.0.2. The vulnerability has a high CVSS score of 7.5 and can be exploited by crafted user text, potentially causing performance issues and leading to a denial of service.

Vendor
markdown-it
Product
linkify-it
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-08
Original CVE updated
2026-07-10
Advisory published
2026-07-08
Advisory updated
2026-07-10

Who should care

Developers and users of the linkify-it library should be aware of this vulnerability and take steps to mitigate it. This vulnerability has a high CVSS score of 7.5 and can be exploited by crafted user text, potentially causing performance issues and leading to a denial of service. Affected operators, platforms, and security teams should review and address this vulnerability.

Technical summary

The linkify-it library prior to version 5.0.2 contains a denial of service vulnerability. The vulnerability is caused by the mailto: schema validator used by .test() and .match() which can be invoked at every mailto: occurrence and scan the remaining input, leading to O(n^2) CPU consumption on crafted user text. This can cause performance issues and potentially lead to a denial of service. The vulnerability has a high CVSS score of 7.5.

Defensive priority

High

Recommended defensive actions

  • Update to version 5.0.2 or later
  • Validate and sanitize user input
  • Monitor for suspicious activity
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The CVE record was published on 2026-07-08T17:17:26.883Z and was last modified on 2026-07-10T19:13:03.283Z. The NVD entry is currently Awaiting Analysis. This information is based on the provided source corpus. Further verification is recommended to confirm the accuracy of this information.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T17:17:26.883Z and has not been modified since then. The NVD entry is currently Awaiting Analysis.