Markdown Parsing Vulnerability in Mistune Python Library
CVE-2026-44708

6.1MEDIUM

Key Information:

Vendor: Lepture
Status: Mistune
Vendor: CVE Published:; 26 May 2026

What is CVE-2026-44708?

The Mistune Markdown parser, a widely-used Python library for rendering Markdown, is susceptible to a vulnerability that permits unsafe rendering of user-supplied content in HTML. Specifically, prior to version 3.2.1, the math plugin of Mistune allowed inline and block math to be rendered without adequate HTML escaping. This oversight raised security concerns by exposing applications to cross-site scripting (XSS) attacks, as user-controlled mathematical expressions could be injected directly into the HTML output. To mitigate this issue, it is essential to update to Mistune version 3.2.1 or higher, where this vulnerability has been addressed.

Affected Version(s)

mistune < 3.2.1

References

https://github.com/lepture/mistune/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/lepture/mistune/releases/tag/v3.2.1

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 26, 2026
Vulnerability Reserved
May 7, 2026

CVE-2026-44708 Data

JSON

Lepture

What is CVE-2026-44708?

Affected Version(s)

References

CVSS V3.1

Timeline