{"url":"http://public2.vulnerablecode.io/api/packages/10353?format=json","purl":"pkg:pypi/mistune@0.4.1","type":"pypi","namespace":"","name":"mistune","version":"0.4.1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"3.2.1","latest_non_vulnerable_version":"3.2.1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35132?format=json","vulnerability_id":"VCID-5qkf-gk57-v3gt","summary":"mistune.py in Mistune 0.7.4 allows XSS via an unexpected newline (such as in java\\nscript:) or a crafted email address, related to the escape and autolink functions.","references":[{"reference_url":"https://github.com/advisories/GHSA-hpv5-v8g5-c864","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-hpv5-v8g5-c864"},{"reference_url":"https://github.com/lepture/mistune/pull/140","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/lepture/mistune/pull/140"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-15612","reference_id":"CVE-2017-15612","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-15612"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/10362?format=json","purl":"pkg:pypi/mistune@0.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6qv4-1d5y-pfdb"},{"vulnerability":"VCID-f9u2-brma-sfba"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/mistune@0.8"}],"aliases":["CVE-2017-15612","GHSA-hpv5-v8g5-c864","PYSEC-2017-80"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5qkf-gk57-v3gt"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35157?format=json","vulnerability_id":"VCID-6qv4-1d5y-pfdb","summary":"Cross-site scripting (XSS) vulnerability in the _keyify function in mistune.py in Mistune before 0.8.1 allows remote attackers to inject arbitrary web script or HTML by leveraging failure to escape the \"key\" argument.","references":[{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1524596","reference_id":"","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1524596"},{"reference_url":"https://github.com/advisories/GHSA-98gj-wwxm-cj3h","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-98gj-wwxm-cj3h"},{"reference_url":"https://github.com/lepture/mistune","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/lepture/mistune"},{"reference_url":"https://github.com/lepture/mistune/blob/master/CHANGES.rst","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/lepture/mistune/blob/master/CHANGES.rst"},{"reference_url":"https://github.com/lepture/mistune/commit/5f06d724bc05580e7f203db2d4a4905fc1127f98","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/lepture/mistune/commit/5f06d724bc05580e7f203db2d4a4905fc1127f98"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/mistune/PYSEC-2017-18.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/mistune/PYSEC-2017-18.yaml"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NUR3GMHQBMA3UC4PFMCK6GCLOQC4LQQC","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NUR3GMHQBMA3UC4PFMCK6GCLOQC4LQQC"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NUR3GMHQBMA3UC4PFMCK6GCLOQC4LQQC/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NUR3GMHQBMA3UC4PFMCK6GCLOQC4LQQC/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-16876","reference_id":"CVE-2017-16876","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-16876"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/10584?format=json","purl":"pkg:pypi/mistune@0.8.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-f9u2-brma-sfba"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/mistune@0.8.1"}],"aliases":["CVE-2017-16876","GHSA-98gj-wwxm-cj3h","PYSEC-2017-18"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6qv4-1d5y-pfdb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37343?format=json","vulnerability_id":"VCID-f9u2-brma-sfba","summary":"Mistune is a Python Markdown parser with renderers and plugins. In 3.2.0 and realier, in src/mistune/directives/image.py, the render_figure() function concatenates figclass and figwidth options directly into HTML attributes without escaping. This allows attribute injection and XSS even when HTMLRenderer(escape=True) is used, because these values bypass the inline renderer.","references":[{"reference_url":"https://github.com/lepture/mistune/security/advisories/GHSA-58cw-g322-p94v","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}],"url":"https://github.com/lepture/mistune/security/advisories/GHSA-58cw-g322-p94v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/50776?format=json","purl":"pkg:pypi/mistune@3.2.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/mistune@3.2.1"}],"aliases":["CVE-2026-44896","GHSA-58cw-g322-p94v","PYSEC-2026-168"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-f9u2-brma-sfba"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/mistune@0.4.1"}