CPU Exhaustion Vulnerability in Mistune Markdown Parser by Lepture
CVE-2026-49851
8.7HIGH
What is CVE-2026-49851?
Mistune, a widely used Python library for parsing Markdown, is affected by a significant vulnerability in the parse_link_text function. This vulnerability allows for CPU exhaustion due to inefficient regex processing. When an attacker inputs specially crafted Markdown containing multiple consecutive brackets, the function incurs a superlinear increase in processing time, leading to excessive CPU utilization. This results in a Denial of Service condition, potentially impacting systems using the affected versions of the parser. The issue was addressed and resolved in version 3.3.0.
Affected Version(s)
mistune < 3.3.0
