Security Bypass Vulnerability in Mistune Python Markdown Parser
CVE-2026-59923
6.1MEDIUM
What is CVE-2026-59923?
Mistune, a widely used Python Markdown parser, has a vulnerability where the HTMLRenderer.safe_url() function fails to properly block percent-encoded JavaScript URIs. This oversight allows malicious users to submit crafted Markdown links or images, effectively bypassing URL protections. As a result, harmful scripts can be executed in the rendered HTML, posing a significant security risk. This issue has been addressed in Mistune version 3.3.0, where improved sanitization measures are now in place to protect against such attacks.
Affected Version(s)
mistune < 3.3.0
