{"url":"http://public2.vulnerablecode.io/api/packages/28626?format=json","purl":"pkg:pypi/mistune@2.0.0a4","type":"pypi","namespace":"","name":"mistune","version":"2.0.0a4","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"3.2.1","latest_non_vulnerable_version":"3.2.1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37343?format=json","vulnerability_id":"VCID-f9u2-brma-sfba","summary":"Mistune is a Python Markdown parser with renderers and plugins. In 3.2.0 and realier, in src/mistune/directives/image.py, the render_figure() function concatenates figclass and figwidth options directly into HTML attributes without escaping. This allows attribute injection and XSS even when HTMLRenderer(escape=True) is used, because these values bypass the inline renderer.","references":[{"reference_url":"https://github.com/lepture/mistune/security/advisories/GHSA-58cw-g322-p94v","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}],"url":"https://github.com/lepture/mistune/security/advisories/GHSA-58cw-g322-p94v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/50776?format=json","purl":"pkg:pypi/mistune@3.2.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/mistune@3.2.1"}],"aliases":["CVE-2026-44896","GHSA-58cw-g322-p94v","PYSEC-2026-168"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-f9u2-brma-sfba"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36152?format=json","vulnerability_id":"VCID-hnd6-6nyj-7ydb","summary":"In mistune through 2.0.2, support of inline markup is implemented by using regular expressions that can involve a high amount of backtracking on certain edge cases. This behavior is commonly named catastrophic backtracking.","references":[{"reference_url":"https://github.com/advisories/GHSA-fw3v-x4f2-v673","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-fw3v-x4f2-v673"},{"reference_url":"https://github.com/lepture/mistune/commit/a6d43215132fe4f3d93f8d7e90ba83b16a0838b2","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/lepture/mistune/commit/a6d43215132fe4f3d93f8d7e90ba83b16a0838b2"},{"reference_url":"https://github.com/lepture/mistune/releases","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/lepture/mistune/releases"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/28633?format=json","purl":"pkg:pypi/mistune@2.0.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-f9u2-brma-sfba"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/mistune@2.0.3"}],"aliases":["CVE-2022-34749","GHSA-fw3v-x4f2-v673","PYSEC-2022-237"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hnd6-6nyj-7ydb"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/mistune@2.0.0a4"}