Directory Traversal in Mistune Python Markdown Parser by Lepture
CVE-2026-59924
5.9MEDIUM
What is CVE-2026-59924?
The Mistune Python Markdown parser is vulnerable to a directory traversal issue. Prior to version 3.3.0, the Include.parse() method combines user-supplied include paths without confirming that the resolved path remains confined within the designated markdown directory. This vulnerability can be exploited through specially crafted include paths, potentially granting unauthorized access to files outside the intended directory during the processing of markdown files. Users are advised to update to version 3.3.0 or later to mitigate this issue.
Affected Version(s)
mistune < 3.3.0
