PatchSiren cyber security CVE debrief
CVE-2026-59887 markdown-it CVE debrief
CVE-2026-59887 is a denial of service vulnerability in the linkify-it library. The vulnerability is caused by the mailto: schema validator used by .test() and .match() which can be invoked at every mailto: occurrence and scan the remaining input, leading to O(n^2) CPU consumption on crafted user text. This issue is fixed in version 5.0.2. The vulnerability has a high CVSS score of 7.5 and can be exploited by crafted user text, potentially causing performance issues and leading to a denial of service.
- Vendor
- markdown-it
- Product
- linkify-it
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-08
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-08
- Advisory updated
- 2026-07-10
Who should care
Developers and users of the linkify-it library should be aware of this vulnerability and take steps to mitigate it. This vulnerability has a high CVSS score of 7.5 and can be exploited by crafted user text, potentially causing performance issues and leading to a denial of service. Affected operators, platforms, and security teams should review and address this vulnerability.
Technical summary
The linkify-it library prior to version 5.0.2 contains a denial of service vulnerability. The vulnerability is caused by the mailto: schema validator used by .test() and .match() which can be invoked at every mailto: occurrence and scan the remaining input, leading to O(n^2) CPU consumption on crafted user text. This can cause performance issues and potentially lead to a denial of service. The vulnerability has a high CVSS score of 7.5.
Defensive priority
High
Recommended defensive actions
- Update to version 5.0.2 or later
- Validate and sanitize user input
- Monitor for suspicious activity
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
The CVE record was published on 2026-07-08T17:17:26.883Z and was last modified on 2026-07-10T19:13:03.283Z. The NVD entry is currently Awaiting Analysis. This information is based on the provided source corpus. Further verification is recommended to confirm the accuracy of this information.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T17:17:26.883Z and has not been modified since then. The NVD entry is currently Awaiting Analysis.