XSS Vulnerability in Mistune Python Markdown Parser
CVE-2026-44896

5.3MEDIUM

Key Information:

Vendor: Lepture
Status: Mistune
Vendor: CVE Published:; 26 May 2026

What is CVE-2026-44896?

The Mistune Markdown parser allows attackers to exploit a vulnerability in its handling of HTML attributes. Specifically, in versions 3.2.0 and earlier, the render_figure() function does not adequately escape figclass and figwidth inputs. This flaw permits the injection of malicious attributes, leading to an XSS vulnerability even when the HTMLRenderer is configured to escape HTML. Proper validation and escaping measures are needed to mitigate this risk.

Affected Version(s)

mistune <= 3.2.0

References

https://github.com/lepture/mistune/security/advisories/GH...

x_refsource_CONFIRM

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 26, 2026
Vulnerability Reserved
May 7, 2026

CVE-2026-44896 Data

JSON

Lepture

What is CVE-2026-44896?

Affected Version(s)

References

CVSS V4

Timeline