OPENSUSE-SU-2026:21339-1

Vulnerability from csaf_opensuse - Published: 2026-07-14 10:41 - Updated: 2026-07-14 10:41
Summary
Security update for python-mistune
Severity
Moderate
Notes
Title of the patch: Security update for python-mistune
Description of the patch: This update for python-mistune fixes the following issues - CVE-2026-59922: quadratic-time parsing on long runs of some markers in `formatting.py` can lead to DoS (bsc#1271117). - CVE-2026-59923: `HTMLRenderer.safe_url()` does not block percent-encoded javascript URIs and allows for XSS (bsc#1271119). - CVE-2026-59924: improper processing of user-supplied include paths in `Include.parse()` can lead to path traversal and arbitrary file reads (bsc#1271121). - CVE-2026-59925: quadratic-time parsing on long runs of some emphasis pairs in `inline_parser` can lead to DoS (bsc#1271125). - CVE-2026-59926: improper escaping in `render_admonition()` can lead to atribute injection and XSS (bsc#1271127). - CVE-2026-59927: uncontrolled recursion when processing two markdown files that include each other can lead to a DoS (bsc#1271128). - CVE-2026-59928: quadratic-time parsing on long lists of repeated reference-link definitions in `block_parser` can lead to DoS (bsc#1271131). - CVE-2026-59929: HARMFUL_PROTOCOLS list misses legacy and chained schemes and allow arbitrary script execution in user agents (bsc#1271132). - CVE-2026-59930: the `toc` plugin and `TableOfContents` directive generate heading IDs with predictable values and allow for collisions with attacker-controlled `id="toc_N"` content (bsc#1271082).
Patchnames: openSUSE-Leap-16.0-1243
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
Affected products
Product Identifier Version Remediation
Unresolved product id: openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch
Vendor Fix
Threats
Impact moderate
Affected products
Product Identifier Version Remediation
Unresolved product id: openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch
Vendor Fix
Threats
Impact moderate
Affected products
Product Identifier Version Remediation
Unresolved product id: openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch
Vendor Fix
Threats
Impact moderate
Affected products
Product Identifier Version Remediation
Unresolved product id: openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch
Vendor Fix
Threats
Impact moderate
Affected products
Product Identifier Version Remediation
Unresolved product id: openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch
Vendor Fix
Threats
Impact moderate
Affected products
Product Identifier Version Remediation
Unresolved product id: openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch
Vendor Fix
Threats
Impact moderate
Affected products
Product Identifier Version Remediation
Unresolved product id: openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch
Vendor Fix
Threats
Impact moderate
Affected products
Product Identifier Version Remediation
Unresolved product id: openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch
Vendor Fix
Threats
Impact moderate
Affected products
Product Identifier Version Remediation
Unresolved product id: openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch
Vendor Fix
Threats
Impact moderate
Affected products
Product Identifier Version Remediation
Unresolved product id: openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch
Vendor Fix
Threats
Impact moderate
References
URL Category
https://www.suse.com/support/security/rating/ external
https://ftp.suse.com/pub/projects/security/csaf/o… self
https://bugzilla.suse.com/1271082 self
https://bugzilla.suse.com/1271117 self
https://bugzilla.suse.com/1271119 self
https://bugzilla.suse.com/1271121 self
https://bugzilla.suse.com/1271125 self
https://bugzilla.suse.com/1271127 self
https://bugzilla.suse.com/1271128 self
https://bugzilla.suse.com/1271131 self
https://bugzilla.suse.com/1271132 self
https://www.suse.com/security/cve/CVE-2026-44896/ self
https://www.suse.com/security/cve/CVE-2026-59922/ self
https://www.suse.com/security/cve/CVE-2026-59923/ self
https://www.suse.com/security/cve/CVE-2026-59924/ self
https://www.suse.com/security/cve/CVE-2026-59925/ self
https://www.suse.com/security/cve/CVE-2026-59926/ self
https://www.suse.com/security/cve/CVE-2026-59927/ self
https://www.suse.com/security/cve/CVE-2026-59928/ self
https://www.suse.com/security/cve/CVE-2026-59929/ self
https://www.suse.com/security/cve/CVE-2026-59930/ self
https://www.suse.com/security/cve/CVE-2026-44896 external
https://bugzilla.suse.com/1264754 external
https://www.suse.com/security/cve/CVE-2026-59922 external
https://bugzilla.suse.com/1271117 external
https://www.suse.com/security/cve/CVE-2026-59923 external
https://bugzilla.suse.com/1271119 external
https://www.suse.com/security/cve/CVE-2026-59924 external
https://bugzilla.suse.com/1271121 external
https://www.suse.com/security/cve/CVE-2026-59925 external
https://bugzilla.suse.com/1271125 external
https://www.suse.com/security/cve/CVE-2026-59926 external
https://bugzilla.suse.com/1271127 external
https://www.suse.com/security/cve/CVE-2026-59927 external
https://bugzilla.suse.com/1271128 external
https://www.suse.com/security/cve/CVE-2026-59928 external
https://bugzilla.suse.com/1271131 external
https://www.suse.com/security/cve/CVE-2026-59929 external
https://bugzilla.suse.com/1271132 external
https://www.suse.com/security/cve/CVE-2026-59930 external
https://bugzilla.suse.com/1271082 external

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for python-mistune",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for python-mistune fixes the following issues\n\n- CVE-2026-59922: quadratic-time parsing on long runs of some markers in `formatting.py` can lead to DoS (bsc#1271117).\n- CVE-2026-59923: `HTMLRenderer.safe_url()` does not block percent-encoded javascript URIs and allows for XSS\n  (bsc#1271119).\n- CVE-2026-59924: improper processing of user-supplied include paths in `Include.parse()` can lead to path traversal\n  and arbitrary file reads (bsc#1271121).\n- CVE-2026-59925: quadratic-time parsing on long runs of some emphasis pairs in `inline_parser` can lead to DoS\n  (bsc#1271125).\n- CVE-2026-59926: improper escaping in `render_admonition()` can lead to atribute injection and XSS (bsc#1271127).\n- CVE-2026-59927: uncontrolled recursion when processing two markdown files that include each other can lead to a DoS\n   (bsc#1271128).\n- CVE-2026-59928: quadratic-time parsing on long lists of repeated reference-link definitions in `block_parser` can\n  lead to DoS (bsc#1271131).\n- CVE-2026-59929: HARMFUL_PROTOCOLS list misses legacy and chained schemes and allow arbitrary script execution in\n  user agents (bsc#1271132).\n- CVE-2026-59930: the `toc` plugin and `TableOfContents` directive generate heading IDs with predictable values and\n  allow for collisions with attacker-controlled `id=\"toc_N\"` content (bsc#1271082).\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Leap-16.0-1243",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_21339-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1271082",
        "url": "https://bugzilla.suse.com/1271082"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1271117",
        "url": "https://bugzilla.suse.com/1271117"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1271119",
        "url": "https://bugzilla.suse.com/1271119"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1271121",
        "url": "https://bugzilla.suse.com/1271121"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1271125",
        "url": "https://bugzilla.suse.com/1271125"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1271127",
        "url": "https://bugzilla.suse.com/1271127"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1271128",
        "url": "https://bugzilla.suse.com/1271128"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1271131",
        "url": "https://bugzilla.suse.com/1271131"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1271132",
        "url": "https://bugzilla.suse.com/1271132"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-44896 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-44896/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-59922 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-59922/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-59923 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-59923/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-59924 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-59924/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-59925 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-59925/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-59926 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-59926/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-59927 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-59927/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-59928 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-59928/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-59929 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-59929/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-59930 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-59930/"
      }
    ],
    "title": "Security update for python-mistune",
    "tracking": {
      "current_release_date": "2026-07-14T10:41:18Z",
      "generator": {
        "date": "2026-07-14T10:41:18Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2026:21339-1",
      "initial_release_date": "2026-07-14T10:41:18Z",
      "revision_history": [
        {
          "date": "2026-07-14T10:41:18Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python313-mistune-3.1.3-160000.5.1.noarch",
                "product": {
                  "name": "python313-mistune-3.1.3-160000.5.1.noarch",
                  "product_id": "python313-mistune-3.1.3-160000.5.1.noarch"
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Leap 16.0",
                "product": {
                  "name": "openSUSE Leap 16.0",
                  "product_id": "openSUSE Leap 16.0"
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-mistune-3.1.3-160000.5.1.noarch as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch"
        },
        "product_reference": "python313-mistune-3.1.3-160000.5.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-44896",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-44896"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Mistune is a Python Markdown parser with renderers and plugins. In 3.2.0 and earlier, in src/mistune/directives/image.py, the render_figure() function concatenates figclass and figwidth options directly into HTML attributes without escaping. This allows attribute injection and XSS even when HTMLRenderer(escape=True) is used, because these values bypass the inline renderer. Version 3.2.1 contains a patch.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-44896",
          "url": "https://www.suse.com/security/cve/CVE-2026-44896"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1264754 for CVE-2026-44896",
          "url": "https://bugzilla.suse.com/1264754"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-07-14T10:41:18Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-44896"
    },
    {
      "cve": "CVE-2026-59922",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-59922"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, a run of closed tilde, equals-sign, or caret marker pairs around a character causes quadratic work in src/mistune/plugins/formatting.py when the strikethrough, mark, or insert plugin scans for matching markers from each possible start position, allowing denial of service through CPU exhaustion. This issue is fixed in version 3.3.0.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-59922",
          "url": "https://www.suse.com/security/cve/CVE-2026-59922"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1271117 for CVE-2026-59922",
          "url": "https://bugzilla.suse.com/1271117"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-07-14T10:41:18Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-59922"
    },
    {
      "cve": "CVE-2026-59923",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-59923"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, HTMLRenderer.safe_url() does not block percent-encoded javascript URIs, allowing attacker-supplied Markdown links or images to bypass URL protections and execute script in rendered HTML. This issue is fixed in version 3.3.0.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-59923",
          "url": "https://www.suse.com/security/cve/CVE-2026-59923"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1271119 for CVE-2026-59923",
          "url": "https://bugzilla.suse.com/1271119"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-07-14T10:41:18Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-59923"
    },
    {
      "cve": "CVE-2026-59924",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-59924"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, Include.parse() joins and normalizes user-supplied include paths without verifying that the result remains within the intended markdown directory, allowing crafted include paths to access files outside that directory when markdown files are processed using md.read(). This issue is fixed in version 3.3.0.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-59924",
          "url": "https://www.suse.com/security/cve/CVE-2026-59924"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1271121 for CVE-2026-59924",
          "url": "https://bugzilla.suse.com/1271121"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-07-14T10:41:18Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-59924"
    },
    {
      "cve": "CVE-2026-59925",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-59925"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, long sequences of well-formed double-asterisk or triple-asterisk emphasis pairs around a character cause quadratic work in src/mistune/inline_parser.py because the parser scans forward for matching close markers from every potential opening run, allowing denial of service in default Mistune parsing. This issue is fixed in version 3.3.0.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-59925",
          "url": "https://www.suse.com/security/cve/CVE-2026-59925"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1271125 for CVE-2026-59925",
          "url": "https://bugzilla.suse.com/1271125"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-07-14T10:41:18Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-59925"
    },
    {
      "cve": "CVE-2026-59926",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-59926"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, render_admonition() in src/mistune/directives/admonition.py concatenates the Admonition directive :class: option into the HTML class attribute without escaping, allowing attribute injection and cross-site scripting even when HTMLRenderer escape mode is enabled. This issue is fixed in version 3.2.1.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-59926",
          "url": "https://www.suse.com/security/cve/CVE-2026-59926"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1271127 for CVE-2026-59926",
          "url": "https://bugzilla.suse.com/1271127"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-07-14T10:41:18Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-59926"
    },
    {
      "cve": "CVE-2026-59927",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-59927"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, the Include directive in src/mistune/directives/include.py detects only direct self-includes and not indirect cycles, allowing two markdown files that include each other to trigger unbounded recursion, raise RecursionError, and crash the rendering request. This issue is fixed in version 3.3.0.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-59927",
          "url": "https://www.suse.com/security/cve/CVE-2026-59927"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1271128 for CVE-2026-59927",
          "url": "https://bugzilla.suse.com/1271128"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-07-14T10:41:18Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-59927"
    },
    {
      "cve": "CVE-2026-59928",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-59928"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, a Markdown document containing many repeated or distinct reference-link definitions causes quadratic work in src/mistune/block_parser.py and the ref_links environment dictionary handling, allowing denial of service through CPU exhaustion. This issue is fixed in version 3.3.0.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-59928",
          "url": "https://www.suse.com/security/cve/CVE-2026-59928"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1271131 for CVE-2026-59928",
          "url": "https://bugzilla.suse.com/1271131"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-07-14T10:41:18Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-59928"
    },
    {
      "cve": "CVE-2026-59929",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-59929"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, the safe_url filter in src/mistune/renderers/html.py blocks only javascript:, vbscript:, file:, and data: schemes, allowing legacy or chained schemes such as feed:, view-source:, jar:, livescript:, mocha:, ms-its:, mk:, and res: to reach rendered href and src attributes and potentially execute script in affected user agents. This issue is fixed in version 3.3.0.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-59929",
          "url": "https://www.suse.com/security/cve/CVE-2026-59929"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1271132 for CVE-2026-59929",
          "url": "https://bugzilla.suse.com/1271132"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-07-14T10:41:18Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-59929"
    },
    {
      "cve": "CVE-2026-59930",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-59930"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, the toc plugin and TableOfContents directive generate heading IDs as predictable toc_N values without slugifying the heading text, allowing attacker-controlled id=\"toc_N\" content to collide with generated anchors and redirect same-page navigation, CSS selectors, or JavaScript handlers. This issue is fixed in version 3.3.0.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-59930",
          "url": "https://www.suse.com/security/cve/CVE-2026-59930"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1271082 for CVE-2026-59930",
          "url": "https://bugzilla.suse.com/1271082"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 16.0:python313-mistune-3.1.3-160000.5.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-07-14T10:41:18Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-59930"
    }
  ]
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…