Cross-Site Scripting Vulnerability in Mistune Python Markdown Parser
CVE-2026-59926

5.3MEDIUM

Key Information:

Vendor

Lepture

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-59926?

The Python Markdown parser Mistune contains a vulnerability in its rendering of the Admonition directive. Specifically, the render_admonition() function in the src/mistune/directives/admonition.py file concatenates the Admonition directive :class: option directly into the HTML class attribute without proper escaping. This oversight can lead to attribute injection and potential cross-site scripting (XSS) attacks, even when the HTMLRenderer's escape mode is activated. This vulnerability has been addressed and fixed in version 3.2.1.

Affected Version(s)

mistune < 3.2.1

References

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.