Security Bypass Vulnerability in Mistune Python Markdown Parser
CVE-2026-59923

6.1MEDIUM

Key Information:

Vendor

Lepture

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-59923?

Mistune, a widely used Python Markdown parser, has a vulnerability where the HTMLRenderer.safe_url() function fails to properly block percent-encoded JavaScript URIs. This oversight allows malicious users to submit crafted Markdown links or images, effectively bypassing URL protections. As a result, harmful scripts can be executed in the rendered HTML, posing a significant security risk. This issue has been addressed in Mistune version 3.3.0, where improved sanitization measures are now in place to protect against such attacks.

Affected Version(s)

mistune < 3.3.0

References

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.