Cross-Site Scripting Vulnerability in Mistune Python Markdown Parser
CVE-2026-59926
5.3MEDIUM
What is CVE-2026-59926?
The Python Markdown parser Mistune contains a vulnerability in its rendering of the Admonition directive. Specifically, the render_admonition() function in the src/mistune/directives/admonition.py file concatenates the Admonition directive :class: option directly into the HTML class attribute without proper escaping. This oversight can lead to attribute injection and potential cross-site scripting (XSS) attacks, even when the HTMLRenderer's escape mode is activated. This vulnerability has been addressed and fixed in version 3.2.1.
Affected Version(s)
mistune < 3.2.1
