Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-44896 (GCVE-0-2026-44896)
Vulnerability from cvelistv5 – Published: 2026-05-26 20:33 – Updated: 2026-06-08 23:34- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| URL | Tags |
|---|---|
| https://github.com/lepture/mistune/security/advis… | x_refsource_CONFIRM |
| https://github.com/lepture/mistune/commit/a3cb6e5… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44896",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-27T13:06:28.976965Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T13:19:00.807Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mistune",
"vendor": "lepture",
"versions": [
{
"status": "affected",
"version": "\u003c 3.2.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mistune is a Python Markdown parser with renderers and plugins. In 3.2.0 and earlier, in src/mistune/directives/image.py, the render_figure() function concatenates figclass and figwidth options directly into HTML attributes without escaping. This allows attribute injection and XSS even when HTMLRenderer(escape=True) is used, because these values bypass the inline renderer. Version 3.2.1 contains a patch."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T23:34:02.448Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/lepture/mistune/security/advisories/GHSA-58cw-g322-p94v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/lepture/mistune/security/advisories/GHSA-58cw-g322-p94v"
},
{
"name": "https://github.com/lepture/mistune/commit/a3cb6e5655308797e8be021d6c7b5bab13cbace2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/lepture/mistune/commit/a3cb6e5655308797e8be021d6c7b5bab13cbace2"
}
],
"source": {
"advisory": "GHSA-58cw-g322-p94v",
"discovery": "UNKNOWN"
},
"title": "Mistune: XSS via unescaped figclass/figwidth in Figure directive"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44896",
"datePublished": "2026-05-26T20:33:38.696Z",
"dateReserved": "2026-05-07T21:50:33.546Z",
"dateUpdated": "2026-06-08T23:34:02.448Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-44896",
"date": "2026-07-15",
"epss": "0.00198",
"percentile": "0.09778"
},
"microsoft_vex": {
"current_release_date": "2026-06-03T01:50:01.000Z",
"cve": "CVE-2026-44896",
"id": "msrc_CVE-2026-44896",
"initial_release_date": "2026-05-02T00:00:00.000Z",
"product_status:fixed": "1",
"product_status:known_affected": "1",
"source": "Microsoft CSAF VEX",
"status": "final",
"title": "Mistune: XSS via unescaped figclass/figwidth in Figure directive",
"url": "https://msrc.microsoft.com/csaf/vex/2026/msrc_cve-2026-44896.json",
"version": "2"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-44896\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-26T21:16:39.477\",\"lastModified\":\"2026-06-17T10:51:29.943\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Mistune is a Python Markdown parser with renderers and plugins. In 3.2.0 and earlier, in src/mistune/directives/image.py, the render_figure() function concatenates figclass and figwidth options directly into HTML attributes without escaping. This allows attribute injection and XSS even when HTMLRenderer(escape=True) is used, because these values bypass the inline renderer. Version 3.2.1 contains a patch.\"}],\"affected\":[{\"source\":\"security-advisories@github.com\",\"affectedData\":[{\"vendor\":\"lepture\",\"product\":\"mistune\",\"versions\":[{\"version\":\"\u003c 3.2.1\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"PASSIVE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"LOW\",\"subIntegrityImpact\":\"LOW\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-05-27T13:06:28.976965Z\",\"id\":\"CVE-2026-44896\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"yes\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mistune_project:mistune:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"3.2.0\",\"matchCriteriaId\":\"D647BA3B-A532-4964-8200-19F77A0676D0\"}]}]}],\"references\":[{\"url\":\"https://github.com/lepture/mistune/commit/a3cb6e5655308797e8be021d6c7b5bab13cbace2\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/lepture/mistune/security/advisories/GHSA-58cw-g322-p94v\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
"redhat_vex": {
"aggregate_severity": "Moderate",
"current_release_date": "2026-07-04T12:34:31+00:00",
"cve": "CVE-2026-44896",
"id": "CVE-2026-44896",
"initial_release_date": "2026-05-26T20:33:38.696000+00:00",
"product_status:known_affected": "25",
"source": "Red Hat CSAF VEX",
"status": "final",
"title": "mistune: Mistune: Cross-Site Scripting (XSS) via unescaped HTML attributes",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-44896.json",
"version": "3"
},
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-44896\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-27T13:06:28.976965Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-27T13:18:49.782Z\"}}], \"cna\": {\"title\": \"Mistune: XSS via unescaped figclass/figwidth in Figure directive\", \"source\": {\"advisory\": \"GHSA-58cw-g322-p94v\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N\", \"userInteraction\": \"PASSIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"LOW\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"LOW\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"lepture\", \"product\": \"mistune\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 3.2.1\"}]}], \"references\": [{\"url\": \"https://github.com/lepture/mistune/security/advisories/GHSA-58cw-g322-p94v\", \"name\": \"https://github.com/lepture/mistune/security/advisories/GHSA-58cw-g322-p94v\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/lepture/mistune/commit/a3cb6e5655308797e8be021d6c7b5bab13cbace2\", \"name\": \"https://github.com/lepture/mistune/commit/a3cb6e5655308797e8be021d6c7b5bab13cbace2\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Mistune is a Python Markdown parser with renderers and plugins. In 3.2.0 and earlier, in src/mistune/directives/image.py, the render_figure() function concatenates figclass and figwidth options directly into HTML attributes without escaping. This allows attribute injection and XSS even when HTMLRenderer(escape=True) is used, because these values bypass the inline renderer. Version 3.2.1 contains a patch.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-06-08T23:34:02.448Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-44896\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-08T23:34:02.448Z\", \"dateReserved\": \"2026-05-07T21:50:33.546Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-05-26T20:33:38.696Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
CERTFR-2026-AVI-0685
Vulnerability from certfr_avis - Published: 2026-06-03 - Updated: 2026-06-03
De multiples vulnérabilités ont été découvertes dans Microsoft Azure Linux. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Microsoft | Azure Linux | azl3 python-mistune 3.0.2-1 versions antérieures à 3.2.1-1 | ||
| Microsoft | Azure Linux | azl3 kubevirt 1.7.1-2 versions antérieures à 1.7.1-6 |
| Title | Publication Time | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "azl3 python-mistune 3.0.2-1 versions ant\u00e9rieures \u00e0 3.2.1-1",
"product": {
"name": "Azure Linux",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 kubevirt 1.7.1-2 versions ant\u00e9rieures \u00e0 1.7.1-6",
"product": {
"name": "Azure Linux",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-7374",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-7374"
},
{
"name": "CVE-2026-44899",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44899"
},
{
"name": "CVE-2026-44896",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44896"
}
],
"initial_release_date": "2026-06-03T00:00:00",
"last_revision_date": "2026-06-03T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0685",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-06-03T00:00:00.000000"
}
],
"risks": [
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Microsoft Azure Linux. Elles permettent \u00e0 un attaquant de provoquer un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Microsoft Azure Linux",
"vendor_advisories": [
{
"published_at": "2026-05-31",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-7374",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-7374"
},
{
"published_at": "2026-05-28",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-44899",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-44899"
},
{
"published_at": "2026-05-28",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-44896",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-44896"
}
]
}
FKIE_CVE-2026-44896
Vulnerability from fkie_nvd - Published: 2026-05-26 21:16 - Updated: 2026-06-17 10:51| Vendor | Product | Version | |
|---|---|---|---|
| mistune_project | mistune | * |
{
"affected": [
{
"affectedData": [
{
"product": "mistune",
"vendor": "lepture",
"versions": [
{
"status": "affected",
"version": "\u003c 3.2.1"
}
]
}
],
"source": "security-advisories@github.com"
}
],
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mistune_project:mistune:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D647BA3B-A532-4964-8200-19F77A0676D0",
"versionEndIncluding": "3.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mistune is a Python Markdown parser with renderers and plugins. In 3.2.0 and earlier, in src/mistune/directives/image.py, the render_figure() function concatenates figclass and figwidth options directly into HTML attributes without escaping. This allows attribute injection and XSS even when HTMLRenderer(escape=True) is used, because these values bypass the inline renderer. Version 3.2.1 contains a patch."
}
],
"id": "CVE-2026-44896",
"lastModified": "2026-06-17T10:51:29.943",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
],
"ssvcV203": [
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"ssvcData": {
"id": "CVE-2026-44896",
"options": [
{
"exploitation": "none"
},
{
"automatable": "yes"
},
{
"technicalImpact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-27T13:06:28.976965Z",
"version": "2.0.3"
}
}
]
},
"published": "2026-05-26T21:16:39.477",
"references": [
{
"source": "security-advisories@github.com",
"url": "https://github.com/lepture/mistune/commit/a3cb6e5655308797e8be021d6c7b5bab13cbace2"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/lepture/mistune/security/advisories/GHSA-58cw-g322-p94v"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
GHSA-58CW-G322-P94V
Vulnerability from github – Published: 2026-05-08 23:43 – Updated: 2026-06-08 23:34In src/mistune/directives/image.py, the render_figure() function concatenates figclass and figwidth options directly into HTML attributes without escaping (lines 152-168).
This allows attribute injection and XSS even when HTMLRenderer(escape=True) is used, because these values bypass the inline renderer.
Other attributes in the same file (src, alt, style) are properly escaped; figclass/figwidth were missed.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.2.0"
},
"package": {
"ecosystem": "PyPI",
"name": "mistune"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.2.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44896"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-08T23:43:12Z",
"nvd_published_at": "2026-05-26T21:16:39Z",
"severity": "MODERATE"
},
"details": "In `src/mistune/directives/image.py`, the `render_figure()` function concatenates `figclass` and `figwidth` options directly into HTML attributes without escaping (lines 152-168).\n\nThis allows attribute injection and XSS even when `HTMLRenderer(escape=True)` is used, because these values bypass the inline renderer.\n\nOther attributes in the same file (src, alt, style) are properly escaped; figclass/figwidth were missed.",
"id": "GHSA-58cw-g322-p94v",
"modified": "2026-06-08T23:34:18Z",
"published": "2026-05-08T23:43:12Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/lepture/mistune/security/advisories/GHSA-58cw-g322-p94v"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44896"
},
{
"type": "WEB",
"url": "https://github.com/lepture/mistune/commit/a3cb6e5655308797e8be021d6c7b5bab13cbace2"
},
{
"type": "PACKAGE",
"url": "https://github.com/lepture/mistune"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/mistune/PYSEC-2026-168.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Mistune has XSS via unescaped figclass/figwidth in Figure directive"
}
MSRC_CVE-2026-44896
Vulnerability from csaf_microsoft - Published: 2026-05-02 00:00 - Updated: 2026-06-03 01:50| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 21330-17084 | — |
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 17084-1 | — |
Vendor Fix
fix
|
| URL | Category |
|---|---|
| https://msrc.microsoft.com/csaf/vex/2026/msrc_cve… | self |
| https://support.microsoft.com/lifecycle | external |
| https://www.first.org/cvss | external |
| https://msrc.microsoft.com/csaf/vex/2026/msrc_cve… | self |
{
"document": {
"category": "csaf_vex",
"csaf_version": "2.0",
"distribution": {
"text": "Public",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
"title": "Additional Resources"
},
{
"category": "legal_disclaimer",
"text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
"title": "Disclaimer"
}
],
"publisher": {
"category": "vendor",
"contact_details": "secure@microsoft.com",
"name": "Microsoft Security Response Center",
"namespace": "https://msrc.microsoft.com"
},
"references": [
{
"category": "self",
"summary": "CVE-2026-44896 Mistune: XSS via unescaped figclass/figwidth in Figure directive - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2026/msrc_cve-2026-44896.json"
},
{
"category": "external",
"summary": "Microsoft Support Lifecycle",
"url": "https://support.microsoft.com/lifecycle"
},
{
"category": "external",
"summary": "Common Vulnerability Scoring System",
"url": "https://www.first.org/cvss"
}
],
"title": "Mistune: XSS via unescaped figclass/figwidth in Figure directive",
"tracking": {
"current_release_date": "2026-06-03T01:50:01.000Z",
"generator": {
"date": "2026-06-03T07:21:26.233Z",
"engine": {
"name": "MSRC Generator",
"version": "1.0"
}
},
"id": "msrc_CVE-2026-44896",
"initial_release_date": "2026-05-02T00:00:00.000Z",
"revision_history": [
{
"date": "2026-05-28T01:06:08.000Z",
"legacy_version": "1",
"number": "1",
"summary": "Information published."
},
{
"date": "2026-06-03T01:50:01.000Z",
"legacy_version": "2",
"number": "2",
"summary": "Information published."
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "3.0",
"product": {
"name": "Azure Linux 3.0",
"product_id": "17084"
}
}
],
"category": "product_name",
"name": "Azure Linux"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003cazl3 python-mistune 0:3.0.2-1.azl3",
"product": {
"name": "\u003cazl3 python-mistune 0:3.0.2-1.azl3",
"product_id": "1"
}
},
{
"category": "product_version",
"name": "azl3 python-mistune 0:3.0.2-1.azl3",
"product": {
"name": "azl3 python-mistune 0:3.0.2-1.azl3",
"product_id": "21330"
}
}
],
"category": "product_name",
"name": "python-mistune"
}
],
"category": "vendor",
"name": "Microsoft"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cazl3 python-mistune 0:3.0.2-1.azl3 as a component of Azure Linux 3.0",
"product_id": "17084-1"
},
"product_reference": "1",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 python-mistune 0:3.0.2-1.azl3 as a component of Azure Linux 3.0",
"product_id": "21330-17084"
},
"product_reference": "21330",
"relates_to_product_reference": "17084"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-44896",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"category": "general",
"text": "GitHub_M",
"title": "Assigning CNA"
}
],
"product_status": {
"fixed": [
"21330-17084"
],
"known_affected": [
"17084-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-44896 Mistune: XSS via unescaped figclass/figwidth in Figure directive - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2026/msrc_cve-2026-44896.json"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-28T01:06:08.000Z",
"details": "0:3.2.1-1.azl3:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
"product_ids": [
"17084-1"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
}
],
"title": "Mistune: XSS via unescaped figclass/figwidth in Figure directive"
}
]
}
OPENSUSE-SU-2026:20827-1
Vulnerability from csaf_opensuse - Published: 2026-05-28 12:07 - Updated: 2026-05-28 12:07| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:python313-mistune-3.1.3-160000.3.1.noarch | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:python313-mistune-3.1.3-160000.3.1.noarch | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:python313-mistune-3.1.3-160000.3.1.noarch | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:python313-mistune-3.1.3-160000.3.1.noarch | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:python313-mistune-3.1.3-160000.3.1.noarch | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:python313-mistune-3.1.3-160000.3.1.noarch | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:python313-mistune-3.1.3-160000.3.1.noarch | — |
Vendor Fix
|
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for python-mistune",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for python-mistune fixes the following issues\n\n- CVE-2026-33079: ReDoS in `LINK_TITLE_RE` can lead to denial of service via a crafted Markdown (bsc#1264347).\n- CVE-2026-33441: processing of malformed reference links can lead to excessive resource consumption and denial of\n service (bsc#1264752).\n- CVE-2026-44708: improper HTML escaping in the math plugin can lead to XSS (bsc#1264751).\n- CVE-2026-44896: improper escaping in `render_figure` can lead to attribute injection and XSS (bsc#1264754).\n- CVE-2026-44897: improper sanitization of user-controlled input in `HTMLRenderer.heading` can lead to XSS\n (bsc#1264750).\n- CVE-2026-44898: improper sanitization of user-supplied HTML input in `render_toc_ul` can lead to XSS (bsc#1265052).\n- CVE-2026-44899: improper input verification in Image directive plugin and improper escaping in `render_block_image`\n can lead to CSS injection (bsc#1265053).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Leap-16.0-816",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_20827-1.json"
},
{
"category": "self",
"summary": "SUSE Bug 1264347",
"url": "https://bugzilla.suse.com/1264347"
},
{
"category": "self",
"summary": "SUSE Bug 1264750",
"url": "https://bugzilla.suse.com/1264750"
},
{
"category": "self",
"summary": "SUSE Bug 1264751",
"url": "https://bugzilla.suse.com/1264751"
},
{
"category": "self",
"summary": "SUSE Bug 1264752",
"url": "https://bugzilla.suse.com/1264752"
},
{
"category": "self",
"summary": "SUSE Bug 1264754",
"url": "https://bugzilla.suse.com/1264754"
},
{
"category": "self",
"summary": "SUSE Bug 1265052",
"url": "https://bugzilla.suse.com/1265052"
},
{
"category": "self",
"summary": "SUSE Bug 1265053",
"url": "https://bugzilla.suse.com/1265053"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-33079 page",
"url": "https://www.suse.com/security/cve/CVE-2026-33079/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-33441 page",
"url": "https://www.suse.com/security/cve/CVE-2026-33441/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-44708 page",
"url": "https://www.suse.com/security/cve/CVE-2026-44708/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-44896 page",
"url": "https://www.suse.com/security/cve/CVE-2026-44896/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-44897 page",
"url": "https://www.suse.com/security/cve/CVE-2026-44897/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-44898 page",
"url": "https://www.suse.com/security/cve/CVE-2026-44898/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-44899 page",
"url": "https://www.suse.com/security/cve/CVE-2026-44899/"
}
],
"title": "Security update for python-mistune",
"tracking": {
"current_release_date": "2026-05-28T12:07:59Z",
"generator": {
"date": "2026-05-28T12:07:59Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:20827-1",
"initial_release_date": "2026-05-28T12:07:59Z",
"revision_history": [
{
"date": "2026-05-28T12:07:59Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python313-mistune-3.1.3-160000.3.1.noarch",
"product": {
"name": "python313-mistune-3.1.3-160000.3.1.noarch",
"product_id": "python313-mistune-3.1.3-160000.3.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 16.0",
"product": {
"name": "openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0"
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-mistune-3.1.3-160000.3.1.noarch as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:python313-mistune-3.1.3-160000.3.1.noarch"
},
"product_reference": "python313-mistune-3.1.3-160000.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-33079",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-33079"
}
],
"notes": [
{
"category": "general",
"text": "In versions 3.0.0a1 through 3.2.0 of Mistune, there is a ReDoS (Regular Expression Denial of Service) vulnerability in `LINK_TITLE_RE` that allows an attacker who can supply Markdown for parsing to cause denial of service. The regular expression used for parsing link titles contains overlapping alternatives that can trigger catastrophic backtracking. In both the double-quoted and single-quoted branches, a backslash followed by punctuation can be matched either as an escaped punctuation sequence or as two ordinary characters, creating an ambiguous pattern inside a repeated group. If an attacker supplies Markdown containing repeated ! sequences with no closing quote, the regex engine explores an exponential number of backtracking paths. This is reachable through normal Markdown parsing of inline links and block link reference definitions. A small crafted input can therefore cause significant CPU consumption and make applications using Mistune unresponsive.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:python313-mistune-3.1.3-160000.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-33079",
"url": "https://www.suse.com/security/cve/CVE-2026-33079"
},
{
"category": "external",
"summary": "SUSE Bug 1264347 for CVE-2026-33079",
"url": "https://bugzilla.suse.com/1264347"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:python313-mistune-3.1.3-160000.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:python313-mistune-3.1.3-160000.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-28T12:07:59Z",
"details": "important"
}
],
"title": "CVE-2026-33079"
},
{
"cve": "CVE-2026-33441",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-33441"
}
],
"notes": [
{
"category": "general",
"text": "This CVE is a duplicate of another CVE: CVE-2026-33079.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:python313-mistune-3.1.3-160000.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-33441",
"url": "https://www.suse.com/security/cve/CVE-2026-33441"
},
{
"category": "external",
"summary": "SUSE Bug 1264752 for CVE-2026-33441",
"url": "https://bugzilla.suse.com/1264752"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:python313-mistune-3.1.3-160000.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:python313-mistune-3.1.3-160000.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-28T12:07:59Z",
"details": "important"
}
],
"title": "CVE-2026-33441"
},
{
"cve": "CVE-2026-44708",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-44708"
}
],
"notes": [
{
"category": "general",
"text": "Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, the mistune math plugin renders inline math ($...$) and block math ($$...$$) by concatenating the raw user-supplied content directly into the HTML output without any HTML escaping. This occurs even when the parser is explicitly created with escape=True, which is supposed to guarantee that all user-controlled text is sanitised before reaching the DOM. This vulnerability is fixed in 3.2.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:python313-mistune-3.1.3-160000.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-44708",
"url": "https://www.suse.com/security/cve/CVE-2026-44708"
},
{
"category": "external",
"summary": "SUSE Bug 1264751 for CVE-2026-44708",
"url": "https://bugzilla.suse.com/1264751"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:python313-mistune-3.1.3-160000.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:python313-mistune-3.1.3-160000.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-28T12:07:59Z",
"details": "moderate"
}
],
"title": "CVE-2026-44708"
},
{
"cve": "CVE-2026-44896",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-44896"
}
],
"notes": [
{
"category": "general",
"text": "Mistune is a Python Markdown parser with renderers and plugins. In 3.2.0 and realier, in src/mistune/directives/image.py, the render_figure() function concatenates figclass and figwidth options directly into HTML attributes without escaping. This allows attribute injection and XSS even when HTMLRenderer(escape=True) is used, because these values bypass the inline renderer.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:python313-mistune-3.1.3-160000.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-44896",
"url": "https://www.suse.com/security/cve/CVE-2026-44896"
},
{
"category": "external",
"summary": "SUSE Bug 1264754 for CVE-2026-44896",
"url": "https://bugzilla.suse.com/1264754"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:python313-mistune-3.1.3-160000.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:python313-mistune-3.1.3-160000.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-28T12:07:59Z",
"details": "moderate"
}
],
"title": "CVE-2026-44896"
},
{
"cve": "CVE-2026-44897",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-44897"
}
],
"notes": [
{
"category": "general",
"text": "Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, HTMLRenderer.heading() builds the opening \u003chN\u003e tag by string-concatenating the id attribute value directly into the HTML - with no call to escape(), safe_entity(), or any other sanitisation function. A double-quote character \" in the id value terminates the attribute, allowing an attacker to inject arbitrary additional attributes (event handlers, src=, href=, etc.) into the heading element. This vulnerability is fixed in 3.2.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:python313-mistune-3.1.3-160000.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-44897",
"url": "https://www.suse.com/security/cve/CVE-2026-44897"
},
{
"category": "external",
"summary": "SUSE Bug 1264750 for CVE-2026-44897",
"url": "https://bugzilla.suse.com/1264750"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:python313-mistune-3.1.3-160000.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:python313-mistune-3.1.3-160000.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-28T12:07:59Z",
"details": "moderate"
}
],
"title": "CVE-2026-44897"
},
{
"cve": "CVE-2026-44898",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-44898"
}
],
"notes": [
{
"category": "general",
"text": "Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, render_toc_ul() builds a \u003cul\u003e table-of-contents tree from a list of (level, id, text) tuples. Both the id value (used as href=\"#\u003cid\u003e\") and the text value (used as the visible link label) are inserted into \u003ca\u003e tags via a plain Python format string - with no HTML escaping applied to either value. When heading IDs are derived from user-supplied heading text (the standard use-case for readable slug anchors), an attacker can craft a heading whose text breaks out of the href=\"#...\" attribute context, injecting arbitrary HTML tags including \u003cscript\u003e blocks directly into the rendered TOC. This vulnerability is fixed in 3.2.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:python313-mistune-3.1.3-160000.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-44898",
"url": "https://www.suse.com/security/cve/CVE-2026-44898"
},
{
"category": "external",
"summary": "SUSE Bug 1265052 for CVE-2026-44898",
"url": "https://bugzilla.suse.com/1265052"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:python313-mistune-3.1.3-160000.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:python313-mistune-3.1.3-160000.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-28T12:07:59Z",
"details": "moderate"
}
],
"title": "CVE-2026-44898"
},
{
"cve": "CVE-2026-44899",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-44899"
}
],
"notes": [
{
"category": "general",
"text": "Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, the Image directive plugin validates the :width: and :height: options with a regex compiled as _num_re = re.compile(r\"^\\d+(?:\\.\\d*)?\"). When the validated value is not a plain integer, render_block_image() inserts it directly into a style=\"width:...;\" or style=\"height:...;\" attribute. Because the value was accepted by the prefix-only regex, any CSS after the leading digits reaches the style= attribute verbatim and without escaping. This vulnerability is fixed in 3.2.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:python313-mistune-3.1.3-160000.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-44899",
"url": "https://www.suse.com/security/cve/CVE-2026-44899"
},
{
"category": "external",
"summary": "SUSE Bug 1265053 for CVE-2026-44899",
"url": "https://bugzilla.suse.com/1265053"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:python313-mistune-3.1.3-160000.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:python313-mistune-3.1.3-160000.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-28T12:07:59Z",
"details": "moderate"
}
],
"title": "CVE-2026-44899"
}
]
}
OPENSUSE-SU-2026:21339-1
Vulnerability from csaf_opensuse - Published: 2026-07-14 10:41 - Updated: 2026-07-14 10:41| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch | — |
Vendor Fix
|
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for python-mistune",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for python-mistune fixes the following issues\n\n- CVE-2026-59922: quadratic-time parsing on long runs of some markers in `formatting.py` can lead to DoS (bsc#1271117).\n- CVE-2026-59923: `HTMLRenderer.safe_url()` does not block percent-encoded javascript URIs and allows for XSS\n (bsc#1271119).\n- CVE-2026-59924: improper processing of user-supplied include paths in `Include.parse()` can lead to path traversal\n and arbitrary file reads (bsc#1271121).\n- CVE-2026-59925: quadratic-time parsing on long runs of some emphasis pairs in `inline_parser` can lead to DoS\n (bsc#1271125).\n- CVE-2026-59926: improper escaping in `render_admonition()` can lead to atribute injection and XSS (bsc#1271127).\n- CVE-2026-59927: uncontrolled recursion when processing two markdown files that include each other can lead to a DoS\n (bsc#1271128).\n- CVE-2026-59928: quadratic-time parsing on long lists of repeated reference-link definitions in `block_parser` can\n lead to DoS (bsc#1271131).\n- CVE-2026-59929: HARMFUL_PROTOCOLS list misses legacy and chained schemes and allow arbitrary script execution in\n user agents (bsc#1271132).\n- CVE-2026-59930: the `toc` plugin and `TableOfContents` directive generate heading IDs with predictable values and\n allow for collisions with attacker-controlled `id=\"toc_N\"` content (bsc#1271082).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Leap-16.0-1243",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_21339-1.json"
},
{
"category": "self",
"summary": "SUSE Bug 1271082",
"url": "https://bugzilla.suse.com/1271082"
},
{
"category": "self",
"summary": "SUSE Bug 1271117",
"url": "https://bugzilla.suse.com/1271117"
},
{
"category": "self",
"summary": "SUSE Bug 1271119",
"url": "https://bugzilla.suse.com/1271119"
},
{
"category": "self",
"summary": "SUSE Bug 1271121",
"url": "https://bugzilla.suse.com/1271121"
},
{
"category": "self",
"summary": "SUSE Bug 1271125",
"url": "https://bugzilla.suse.com/1271125"
},
{
"category": "self",
"summary": "SUSE Bug 1271127",
"url": "https://bugzilla.suse.com/1271127"
},
{
"category": "self",
"summary": "SUSE Bug 1271128",
"url": "https://bugzilla.suse.com/1271128"
},
{
"category": "self",
"summary": "SUSE Bug 1271131",
"url": "https://bugzilla.suse.com/1271131"
},
{
"category": "self",
"summary": "SUSE Bug 1271132",
"url": "https://bugzilla.suse.com/1271132"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-44896 page",
"url": "https://www.suse.com/security/cve/CVE-2026-44896/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-59922 page",
"url": "https://www.suse.com/security/cve/CVE-2026-59922/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-59923 page",
"url": "https://www.suse.com/security/cve/CVE-2026-59923/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-59924 page",
"url": "https://www.suse.com/security/cve/CVE-2026-59924/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-59925 page",
"url": "https://www.suse.com/security/cve/CVE-2026-59925/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-59926 page",
"url": "https://www.suse.com/security/cve/CVE-2026-59926/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-59927 page",
"url": "https://www.suse.com/security/cve/CVE-2026-59927/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-59928 page",
"url": "https://www.suse.com/security/cve/CVE-2026-59928/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-59929 page",
"url": "https://www.suse.com/security/cve/CVE-2026-59929/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-59930 page",
"url": "https://www.suse.com/security/cve/CVE-2026-59930/"
}
],
"title": "Security update for python-mistune",
"tracking": {
"current_release_date": "2026-07-14T10:41:18Z",
"generator": {
"date": "2026-07-14T10:41:18Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:21339-1",
"initial_release_date": "2026-07-14T10:41:18Z",
"revision_history": [
{
"date": "2026-07-14T10:41:18Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python313-mistune-3.1.3-160000.5.1.noarch",
"product": {
"name": "python313-mistune-3.1.3-160000.5.1.noarch",
"product_id": "python313-mistune-3.1.3-160000.5.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 16.0",
"product": {
"name": "openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0"
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-mistune-3.1.3-160000.5.1.noarch as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch"
},
"product_reference": "python313-mistune-3.1.3-160000.5.1.noarch",
"relates_to_product_reference": "openSUSE Leap 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-44896",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-44896"
}
],
"notes": [
{
"category": "general",
"text": "Mistune is a Python Markdown parser with renderers and plugins. In 3.2.0 and earlier, in src/mistune/directives/image.py, the render_figure() function concatenates figclass and figwidth options directly into HTML attributes without escaping. This allows attribute injection and XSS even when HTMLRenderer(escape=True) is used, because these values bypass the inline renderer. Version 3.2.1 contains a patch.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-44896",
"url": "https://www.suse.com/security/cve/CVE-2026-44896"
},
{
"category": "external",
"summary": "SUSE Bug 1264754 for CVE-2026-44896",
"url": "https://bugzilla.suse.com/1264754"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-07-14T10:41:18Z",
"details": "moderate"
}
],
"title": "CVE-2026-44896"
},
{
"cve": "CVE-2026-59922",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-59922"
}
],
"notes": [
{
"category": "general",
"text": "Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, a run of closed tilde, equals-sign, or caret marker pairs around a character causes quadratic work in src/mistune/plugins/formatting.py when the strikethrough, mark, or insert plugin scans for matching markers from each possible start position, allowing denial of service through CPU exhaustion. This issue is fixed in version 3.3.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-59922",
"url": "https://www.suse.com/security/cve/CVE-2026-59922"
},
{
"category": "external",
"summary": "SUSE Bug 1271117 for CVE-2026-59922",
"url": "https://bugzilla.suse.com/1271117"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-07-14T10:41:18Z",
"details": "moderate"
}
],
"title": "CVE-2026-59922"
},
{
"cve": "CVE-2026-59923",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-59923"
}
],
"notes": [
{
"category": "general",
"text": "Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, HTMLRenderer.safe_url() does not block percent-encoded javascript URIs, allowing attacker-supplied Markdown links or images to bypass URL protections and execute script in rendered HTML. This issue is fixed in version 3.3.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-59923",
"url": "https://www.suse.com/security/cve/CVE-2026-59923"
},
{
"category": "external",
"summary": "SUSE Bug 1271119 for CVE-2026-59923",
"url": "https://bugzilla.suse.com/1271119"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-07-14T10:41:18Z",
"details": "moderate"
}
],
"title": "CVE-2026-59923"
},
{
"cve": "CVE-2026-59924",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-59924"
}
],
"notes": [
{
"category": "general",
"text": "Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, Include.parse() joins and normalizes user-supplied include paths without verifying that the result remains within the intended markdown directory, allowing crafted include paths to access files outside that directory when markdown files are processed using md.read(). This issue is fixed in version 3.3.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-59924",
"url": "https://www.suse.com/security/cve/CVE-2026-59924"
},
{
"category": "external",
"summary": "SUSE Bug 1271121 for CVE-2026-59924",
"url": "https://bugzilla.suse.com/1271121"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-07-14T10:41:18Z",
"details": "moderate"
}
],
"title": "CVE-2026-59924"
},
{
"cve": "CVE-2026-59925",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-59925"
}
],
"notes": [
{
"category": "general",
"text": "Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, long sequences of well-formed double-asterisk or triple-asterisk emphasis pairs around a character cause quadratic work in src/mistune/inline_parser.py because the parser scans forward for matching close markers from every potential opening run, allowing denial of service in default Mistune parsing. This issue is fixed in version 3.3.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-59925",
"url": "https://www.suse.com/security/cve/CVE-2026-59925"
},
{
"category": "external",
"summary": "SUSE Bug 1271125 for CVE-2026-59925",
"url": "https://bugzilla.suse.com/1271125"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-07-14T10:41:18Z",
"details": "moderate"
}
],
"title": "CVE-2026-59925"
},
{
"cve": "CVE-2026-59926",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-59926"
}
],
"notes": [
{
"category": "general",
"text": "Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, render_admonition() in src/mistune/directives/admonition.py concatenates the Admonition directive :class: option into the HTML class attribute without escaping, allowing attribute injection and cross-site scripting even when HTMLRenderer escape mode is enabled. This issue is fixed in version 3.2.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-59926",
"url": "https://www.suse.com/security/cve/CVE-2026-59926"
},
{
"category": "external",
"summary": "SUSE Bug 1271127 for CVE-2026-59926",
"url": "https://bugzilla.suse.com/1271127"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-07-14T10:41:18Z",
"details": "moderate"
}
],
"title": "CVE-2026-59926"
},
{
"cve": "CVE-2026-59927",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-59927"
}
],
"notes": [
{
"category": "general",
"text": "Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, the Include directive in src/mistune/directives/include.py detects only direct self-includes and not indirect cycles, allowing two markdown files that include each other to trigger unbounded recursion, raise RecursionError, and crash the rendering request. This issue is fixed in version 3.3.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-59927",
"url": "https://www.suse.com/security/cve/CVE-2026-59927"
},
{
"category": "external",
"summary": "SUSE Bug 1271128 for CVE-2026-59927",
"url": "https://bugzilla.suse.com/1271128"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-07-14T10:41:18Z",
"details": "moderate"
}
],
"title": "CVE-2026-59927"
},
{
"cve": "CVE-2026-59928",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-59928"
}
],
"notes": [
{
"category": "general",
"text": "Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, a Markdown document containing many repeated or distinct reference-link definitions causes quadratic work in src/mistune/block_parser.py and the ref_links environment dictionary handling, allowing denial of service through CPU exhaustion. This issue is fixed in version 3.3.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-59928",
"url": "https://www.suse.com/security/cve/CVE-2026-59928"
},
{
"category": "external",
"summary": "SUSE Bug 1271131 for CVE-2026-59928",
"url": "https://bugzilla.suse.com/1271131"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-07-14T10:41:18Z",
"details": "moderate"
}
],
"title": "CVE-2026-59928"
},
{
"cve": "CVE-2026-59929",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-59929"
}
],
"notes": [
{
"category": "general",
"text": "Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, the safe_url filter in src/mistune/renderers/html.py blocks only javascript:, vbscript:, file:, and data: schemes, allowing legacy or chained schemes such as feed:, view-source:, jar:, livescript:, mocha:, ms-its:, mk:, and res: to reach rendered href and src attributes and potentially execute script in affected user agents. This issue is fixed in version 3.3.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-59929",
"url": "https://www.suse.com/security/cve/CVE-2026-59929"
},
{
"category": "external",
"summary": "SUSE Bug 1271132 for CVE-2026-59929",
"url": "https://bugzilla.suse.com/1271132"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-07-14T10:41:18Z",
"details": "moderate"
}
],
"title": "CVE-2026-59929"
},
{
"cve": "CVE-2026-59930",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-59930"
}
],
"notes": [
{
"category": "general",
"text": "Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, the toc plugin and TableOfContents directive generate heading IDs as predictable toc_N values without slugifying the heading text, allowing attacker-controlled id=\"toc_N\" content to collide with generated anchors and redirect same-page navigation, CSS selectors, or JavaScript handlers. This issue is fixed in version 3.3.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-59930",
"url": "https://www.suse.com/security/cve/CVE-2026-59930"
},
{
"category": "external",
"summary": "SUSE Bug 1271082 for CVE-2026-59930",
"url": "https://bugzilla.suse.com/1271082"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-07-14T10:41:18Z",
"details": "moderate"
}
],
"title": "CVE-2026-59930"
}
]
}
PYSEC-2026-168
Vulnerability from pysec - Published: 2026-05-26 21:16 - Updated: 2026-05-29 10:50Mistune is a Python Markdown parser with renderers and plugins. In 3.2.0 and realier, in src/mistune/directives/image.py, the render_figure() function concatenates figclass and figwidth options directly into HTML attributes without escaping. This allows attribute injection and XSS even when HTMLRenderer(escape=True) is used, because these values bypass the inline renderer.
| Name | purl | mistune | pkg:pypi/mistune |
|---|
{
"affected": [
{
"ecosystem_specific": {},
"package": {
"ecosystem": "PyPI",
"name": "mistune",
"purl": "pkg:pypi/mistune"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.2.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.1.0",
"0.2.0",
"0.3.0",
"0.3.1",
"0.4",
"0.4.1",
"0.5",
"0.5.1",
"0.6",
"0.7",
"0.7.1",
"0.7.2",
"0.7.3",
"0.7.4",
"0.8",
"0.8.1",
"0.8.2",
"0.8.3",
"0.8.4",
"2.0.0",
"2.0.0a1",
"2.0.0a2",
"2.0.0a3",
"2.0.0a4",
"2.0.0a5",
"2.0.0a6",
"2.0.0rc1",
"2.0.1",
"2.0.2",
"2.0.3",
"2.0.4",
"2.0.5",
"3.0.0",
"3.0.0a1",
"3.0.0a2",
"3.0.0a3",
"3.0.0rc1",
"3.0.0rc2",
"3.0.0rc3",
"3.0.0rc4",
"3.0.0rc5",
"3.0.1",
"3.0.2",
"3.1.0",
"3.1.1",
"3.1.2",
"3.1.3",
"3.1.4",
"3.2.0"
]
}
],
"aliases": [
"CVE-2026-44896",
"GHSA-58cw-g322-p94v"
],
"details": "Mistune is a Python Markdown parser with renderers and plugins. In 3.2.0 and realier, in src/mistune/directives/image.py, the render_figure() function concatenates figclass and figwidth options directly into HTML attributes without escaping. This allows attribute injection and XSS even when HTMLRenderer(escape=True) is used, because these values bypass the inline renderer.",
"id": "PYSEC-2026-168",
"modified": "2026-05-29T10:50:12.284924Z",
"published": "2026-05-26T21:16:39.477Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/lepture/mistune/security/advisories/GHSA-58cw-g322-p94v"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
SUSE-SU-2026:21858-1
Vulnerability from csaf_suse - Published: 2026-05-28 12:08 - Updated: 2026-05-28 12:08| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:python313-mistune-3.1.3-160000.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:python313-mistune-3.1.3-160000.3.1.noarch | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:python313-mistune-3.1.3-160000.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:python313-mistune-3.1.3-160000.3.1.noarch | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:python313-mistune-3.1.3-160000.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:python313-mistune-3.1.3-160000.3.1.noarch | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:python313-mistune-3.1.3-160000.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:python313-mistune-3.1.3-160000.3.1.noarch | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:python313-mistune-3.1.3-160000.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:python313-mistune-3.1.3-160000.3.1.noarch | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:python313-mistune-3.1.3-160000.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:python313-mistune-3.1.3-160000.3.1.noarch | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:python313-mistune-3.1.3-160000.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:python313-mistune-3.1.3-160000.3.1.noarch | — |
Vendor Fix
|
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for python-mistune",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for python-mistune fixes the following issues\n\n- CVE-2026-33079: ReDoS in `LINK_TITLE_RE` can lead to denial of service via a crafted Markdown (bsc#1264347).\n- CVE-2026-33441: processing of malformed reference links can lead to excessive resource consumption and denial of\n service (bsc#1264752).\n- CVE-2026-44708: improper HTML escaping in the math plugin can lead to XSS (bsc#1264751).\n- CVE-2026-44896: improper escaping in `render_figure` can lead to attribute injection and XSS (bsc#1264754).\n- CVE-2026-44897: improper sanitization of user-controlled input in `HTMLRenderer.heading` can lead to XSS\n (bsc#1264750).\n- CVE-2026-44898: improper sanitization of user-supplied HTML input in `render_toc_ul` can lead to XSS (bsc#1265052).\n- CVE-2026-44899: improper input verification in Image directive plugin and improper escaping in `render_block_image`\n can lead to CSS injection (bsc#1265053).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLES-16.0-816",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_21858-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:21858-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621858-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:21858-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2026-June/046916.html"
},
{
"category": "self",
"summary": "SUSE Bug 1264347",
"url": "https://bugzilla.suse.com/1264347"
},
{
"category": "self",
"summary": "SUSE Bug 1264750",
"url": "https://bugzilla.suse.com/1264750"
},
{
"category": "self",
"summary": "SUSE Bug 1264751",
"url": "https://bugzilla.suse.com/1264751"
},
{
"category": "self",
"summary": "SUSE Bug 1264752",
"url": "https://bugzilla.suse.com/1264752"
},
{
"category": "self",
"summary": "SUSE Bug 1264754",
"url": "https://bugzilla.suse.com/1264754"
},
{
"category": "self",
"summary": "SUSE Bug 1265052",
"url": "https://bugzilla.suse.com/1265052"
},
{
"category": "self",
"summary": "SUSE Bug 1265053",
"url": "https://bugzilla.suse.com/1265053"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-33079 page",
"url": "https://www.suse.com/security/cve/CVE-2026-33079/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-33441 page",
"url": "https://www.suse.com/security/cve/CVE-2026-33441/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-44708 page",
"url": "https://www.suse.com/security/cve/CVE-2026-44708/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-44896 page",
"url": "https://www.suse.com/security/cve/CVE-2026-44896/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-44897 page",
"url": "https://www.suse.com/security/cve/CVE-2026-44897/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-44898 page",
"url": "https://www.suse.com/security/cve/CVE-2026-44898/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-44899 page",
"url": "https://www.suse.com/security/cve/CVE-2026-44899/"
}
],
"title": "Security update for python-mistune",
"tracking": {
"current_release_date": "2026-05-28T12:08:10Z",
"generator": {
"date": "2026-05-28T12:08:10Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:21858-1",
"initial_release_date": "2026-05-28T12:08:10Z",
"revision_history": [
{
"date": "2026-05-28T12:08:10Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python313-mistune-3.1.3-160000.3.1.noarch",
"product": {
"name": "python313-mistune-3.1.3-160000.3.1.noarch",
"product_id": "python313-mistune-3.1.3-160000.3.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 16.0",
"product": {
"name": "SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product": {
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server-sap"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-mistune-3.1.3-160000.3.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:python313-mistune-3.1.3-160000.3.1.noarch"
},
"product_reference": "python313-mistune-3.1.3-160000.3.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-mistune-3.1.3-160000.3.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:python313-mistune-3.1.3-160000.3.1.noarch"
},
"product_reference": "python313-mistune-3.1.3-160000.3.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-33079",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-33079"
}
],
"notes": [
{
"category": "general",
"text": "In versions 3.0.0a1 through 3.2.0 of Mistune, there is a ReDoS (Regular Expression Denial of Service) vulnerability in `LINK_TITLE_RE` that allows an attacker who can supply Markdown for parsing to cause denial of service. The regular expression used for parsing link titles contains overlapping alternatives that can trigger catastrophic backtracking. In both the double-quoted and single-quoted branches, a backslash followed by punctuation can be matched either as an escaped punctuation sequence or as two ordinary characters, creating an ambiguous pattern inside a repeated group. If an attacker supplies Markdown containing repeated ! sequences with no closing quote, the regex engine explores an exponential number of backtracking paths. This is reachable through normal Markdown parsing of inline links and block link reference definitions. A small crafted input can therefore cause significant CPU consumption and make applications using Mistune unresponsive.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:python313-mistune-3.1.3-160000.3.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-mistune-3.1.3-160000.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-33079",
"url": "https://www.suse.com/security/cve/CVE-2026-33079"
},
{
"category": "external",
"summary": "SUSE Bug 1264347 for CVE-2026-33079",
"url": "https://bugzilla.suse.com/1264347"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:python313-mistune-3.1.3-160000.3.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-mistune-3.1.3-160000.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:python313-mistune-3.1.3-160000.3.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-mistune-3.1.3-160000.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-28T12:08:10Z",
"details": "important"
}
],
"title": "CVE-2026-33079"
},
{
"cve": "CVE-2026-33441",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-33441"
}
],
"notes": [
{
"category": "general",
"text": "This CVE is a duplicate of another CVE: CVE-2026-33079.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:python313-mistune-3.1.3-160000.3.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-mistune-3.1.3-160000.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-33441",
"url": "https://www.suse.com/security/cve/CVE-2026-33441"
},
{
"category": "external",
"summary": "SUSE Bug 1264752 for CVE-2026-33441",
"url": "https://bugzilla.suse.com/1264752"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:python313-mistune-3.1.3-160000.3.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-mistune-3.1.3-160000.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:python313-mistune-3.1.3-160000.3.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-mistune-3.1.3-160000.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-28T12:08:10Z",
"details": "important"
}
],
"title": "CVE-2026-33441"
},
{
"cve": "CVE-2026-44708",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-44708"
}
],
"notes": [
{
"category": "general",
"text": "Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, the mistune math plugin renders inline math ($...$) and block math ($$...$$) by concatenating the raw user-supplied content directly into the HTML output without any HTML escaping. This occurs even when the parser is explicitly created with escape=True, which is supposed to guarantee that all user-controlled text is sanitised before reaching the DOM. This vulnerability is fixed in 3.2.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:python313-mistune-3.1.3-160000.3.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-mistune-3.1.3-160000.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-44708",
"url": "https://www.suse.com/security/cve/CVE-2026-44708"
},
{
"category": "external",
"summary": "SUSE Bug 1264751 for CVE-2026-44708",
"url": "https://bugzilla.suse.com/1264751"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:python313-mistune-3.1.3-160000.3.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-mistune-3.1.3-160000.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:python313-mistune-3.1.3-160000.3.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-mistune-3.1.3-160000.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-28T12:08:10Z",
"details": "moderate"
}
],
"title": "CVE-2026-44708"
},
{
"cve": "CVE-2026-44896",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-44896"
}
],
"notes": [
{
"category": "general",
"text": "Mistune is a Python Markdown parser with renderers and plugins. In 3.2.0 and realier, in src/mistune/directives/image.py, the render_figure() function concatenates figclass and figwidth options directly into HTML attributes without escaping. This allows attribute injection and XSS even when HTMLRenderer(escape=True) is used, because these values bypass the inline renderer.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:python313-mistune-3.1.3-160000.3.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-mistune-3.1.3-160000.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-44896",
"url": "https://www.suse.com/security/cve/CVE-2026-44896"
},
{
"category": "external",
"summary": "SUSE Bug 1264754 for CVE-2026-44896",
"url": "https://bugzilla.suse.com/1264754"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:python313-mistune-3.1.3-160000.3.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-mistune-3.1.3-160000.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:python313-mistune-3.1.3-160000.3.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-mistune-3.1.3-160000.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-28T12:08:10Z",
"details": "moderate"
}
],
"title": "CVE-2026-44896"
},
{
"cve": "CVE-2026-44897",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-44897"
}
],
"notes": [
{
"category": "general",
"text": "Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, HTMLRenderer.heading() builds the opening \u003chN\u003e tag by string-concatenating the id attribute value directly into the HTML - with no call to escape(), safe_entity(), or any other sanitisation function. A double-quote character \" in the id value terminates the attribute, allowing an attacker to inject arbitrary additional attributes (event handlers, src=, href=, etc.) into the heading element. This vulnerability is fixed in 3.2.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:python313-mistune-3.1.3-160000.3.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-mistune-3.1.3-160000.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-44897",
"url": "https://www.suse.com/security/cve/CVE-2026-44897"
},
{
"category": "external",
"summary": "SUSE Bug 1264750 for CVE-2026-44897",
"url": "https://bugzilla.suse.com/1264750"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:python313-mistune-3.1.3-160000.3.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-mistune-3.1.3-160000.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:python313-mistune-3.1.3-160000.3.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-mistune-3.1.3-160000.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-28T12:08:10Z",
"details": "moderate"
}
],
"title": "CVE-2026-44897"
},
{
"cve": "CVE-2026-44898",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-44898"
}
],
"notes": [
{
"category": "general",
"text": "Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, render_toc_ul() builds a \u003cul\u003e table-of-contents tree from a list of (level, id, text) tuples. Both the id value (used as href=\"#\u003cid\u003e\") and the text value (used as the visible link label) are inserted into \u003ca\u003e tags via a plain Python format string - with no HTML escaping applied to either value. When heading IDs are derived from user-supplied heading text (the standard use-case for readable slug anchors), an attacker can craft a heading whose text breaks out of the href=\"#...\" attribute context, injecting arbitrary HTML tags including \u003cscript\u003e blocks directly into the rendered TOC. This vulnerability is fixed in 3.2.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:python313-mistune-3.1.3-160000.3.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-mistune-3.1.3-160000.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-44898",
"url": "https://www.suse.com/security/cve/CVE-2026-44898"
},
{
"category": "external",
"summary": "SUSE Bug 1265052 for CVE-2026-44898",
"url": "https://bugzilla.suse.com/1265052"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:python313-mistune-3.1.3-160000.3.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-mistune-3.1.3-160000.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:python313-mistune-3.1.3-160000.3.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-mistune-3.1.3-160000.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-28T12:08:10Z",
"details": "moderate"
}
],
"title": "CVE-2026-44898"
},
{
"cve": "CVE-2026-44899",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-44899"
}
],
"notes": [
{
"category": "general",
"text": "Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, the Image directive plugin validates the :width: and :height: options with a regex compiled as _num_re = re.compile(r\"^\\d+(?:\\.\\d*)?\"). When the validated value is not a plain integer, render_block_image() inserts it directly into a style=\"width:...;\" or style=\"height:...;\" attribute. Because the value was accepted by the prefix-only regex, any CSS after the leading digits reaches the style= attribute verbatim and without escaping. This vulnerability is fixed in 3.2.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:python313-mistune-3.1.3-160000.3.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-mistune-3.1.3-160000.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-44899",
"url": "https://www.suse.com/security/cve/CVE-2026-44899"
},
{
"category": "external",
"summary": "SUSE Bug 1265053 for CVE-2026-44899",
"url": "https://bugzilla.suse.com/1265053"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:python313-mistune-3.1.3-160000.3.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-mistune-3.1.3-160000.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:python313-mistune-3.1.3-160000.3.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-mistune-3.1.3-160000.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-28T12:08:10Z",
"details": "moderate"
}
],
"title": "CVE-2026-44899"
}
]
}
ubuntu-cve-2026-44896
Vulnerability from osv_ubuntu
Mistune is a Python Markdown parser with renderers and plugins. In 3.2.0 and earlier, in src/mistune/directives/image.py, the render_figure() function concatenates figclass and figwidth options directly into HTML attributes without escaping. This allows attribute injection and XSS even when HTMLRenderer(escape=True) is used, because these values bypass the inline renderer. Version 3.2.1 contains a patch.
{
"affected": [
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "python-mistune",
"binary_version": "0.7.1-1"
},
{
"binary_name": "python3-mistune",
"binary_version": "0.7.1-1"
}
]
},
"package": {
"ecosystem": "Ubuntu:16.04:LTS",
"name": "mistune",
"purl": "pkg:deb/ubuntu/mistune@0.7.1-1?arch=source\u0026distro=xenial"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.6-2",
"0.7.1-1"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "python-mistune",
"binary_version": "0.8.3-2"
},
{
"binary_name": "python3-mistune",
"binary_version": "0.8.3-2"
}
]
},
"package": {
"ecosystem": "Ubuntu:18.04:LTS",
"name": "mistune",
"purl": "pkg:deb/ubuntu/mistune@0.8.3-2?arch=source\u0026distro=bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.7.4-1",
"0.8-1",
"0.8.1-1",
"0.8.3-2"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "python3-mistune",
"binary_version": "0.8.4-2"
}
]
},
"package": {
"ecosystem": "Ubuntu:20.04:LTS",
"name": "mistune",
"purl": "pkg:deb/ubuntu/mistune@0.8.4-2?arch=source\u0026distro=focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.8.4-1",
"0.8.4-2"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "python3-mistune",
"binary_version": "2.0.0-1+really0.8.4-1"
}
]
},
"package": {
"ecosystem": "Ubuntu:22.04:LTS",
"name": "mistune",
"purl": "pkg:deb/ubuntu/mistune@2.0.0-1+really0.8.4-1?arch=source\u0026distro=jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.8.4-4",
"0.8.4-5",
"2.0.0-1+really0.8.4-1"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "python3-mistune0",
"binary_version": "0.8.4-2"
}
]
},
"package": {
"ecosystem": "Ubuntu:22.04:LTS",
"name": "mistune0",
"purl": "pkg:deb/ubuntu/mistune0@0.8.4-2?arch=source\u0026distro=jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.8.4-1",
"0.8.4-2"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "python3-mistune",
"binary_version": "3.0.2-1"
}
]
},
"package": {
"ecosystem": "Ubuntu:24.04:LTS",
"name": "mistune",
"purl": "pkg:deb/ubuntu/mistune@3.0.2-1?arch=source\u0026distro=noble"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.0.4-2",
"3.0.2-1"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "python3-mistune0",
"binary_version": "0.8.4-2"
}
]
},
"package": {
"ecosystem": "Ubuntu:24.04:LTS",
"name": "mistune0",
"purl": "pkg:deb/ubuntu/mistune0@0.8.4-2?arch=source\u0026distro=noble"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.8.4-2"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "python3-mistune",
"binary_version": "3.1.3-1"
}
]
},
"package": {
"ecosystem": "Ubuntu:25.10",
"name": "mistune",
"purl": "pkg:deb/ubuntu/mistune@3.1.3-1?arch=source\u0026distro=questing"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"3.0.2-2",
"3.1.3-1"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "python3-mistune0",
"binary_version": "0.8.4-4"
}
]
},
"package": {
"ecosystem": "Ubuntu:25.10",
"name": "mistune0",
"purl": "pkg:deb/ubuntu/mistune0@0.8.4-4?arch=source\u0026distro=questing"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.8.4-4"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "python3-mistune",
"binary_version": "3.1.4-1"
}
]
},
"package": {
"ecosystem": "Ubuntu:26.04:LTS",
"name": "mistune",
"purl": "pkg:deb/ubuntu/mistune@3.1.4-1?arch=source\u0026distro=resolute"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"3.1.3-1",
"3.1.4-1"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "python3-mistune0",
"binary_version": "0.8.4-6"
}
]
},
"package": {
"ecosystem": "Ubuntu:26.04:LTS",
"name": "mistune0",
"purl": "pkg:deb/ubuntu/mistune0@0.8.4-6?arch=source\u0026distro=resolute"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.8.4-4",
"0.8.4-5",
"0.8.4-6"
]
}
],
"aliases": [],
"details": "Mistune is a Python Markdown parser with renderers and plugins. In 3.2.0 and earlier, in src/mistune/directives/image.py, the render_figure() function concatenates figclass and figwidth options directly into HTML attributes without escaping. This allows attribute injection and XSS even when HTMLRenderer(escape=True) is used, because these values bypass the inline renderer. Version 3.2.1 contains a patch.",
"id": "UBUNTU-CVE-2026-44896",
"modified": "2026-06-11T13:05:27Z",
"published": "2026-05-26T21:16:00Z",
"references": [
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2026-44896"
},
{
"type": "REPORT",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44896"
},
{
"type": "REPORT",
"url": "https://github.com/lepture/mistune/security/advisories/GHSA-58cw-g322-p94v"
}
],
"related": [],
"schema_version": "1.7.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"type": "CVSS_V4"
},
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
],
"upstream": [
"CVE-2026-44896"
]
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.