HTML Injection Vulnerability in Mistune Markdown Parser by Lepture
CVE-2026-44898

6.1MEDIUM

Key Information:

Vendor: Lepture
Status: Mistune
Vendor: CVE Published:; 26 May 2026

What is CVE-2026-44898?

Mistune, a Markdown parser for Python, has a vulnerability in prior versions 3.2.1 that allows an attacker to inject arbitrary HTML tags, including elements, into the rendered table of contents. This issue arises because the render_toc_ul() function does not properly escape user-supplied heading text, leading to the possibility of breaking out of the href attribute context. To mitigate this risk, it is crucial to ensure that Mistune is updated to version 3.2.1 or later.

Affected Version(s)

mistune < 3.2.1

References

https://github.com/lepture/mistune/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/lepture/mistune/releases/tag/v3.2.1

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 26, 2026
Vulnerability Reserved
May 7, 2026

CVE-2026-44898 Data

JSON