MEDIUM
markdown-it
CVE published 2026-06-17
CVE-2026-48988
CVE-2026-48988 is a denial-of-service vulnerability in markdown-it, a Markdown parser. When typographer: true is enabled, the smartquotes rule can cause excessive CPU consumption due to quadratic (O(n^2)) processing. This can lead to service degradation or disruption when parsing quote-heavy, user-supplied markdown. Although typographer is disabled by default, many production apps enable it for smart typo [truncated]