Denial of Service Vulnerability in Mistune Python Markdown Parser
CVE-2026-59928

7.5HIGH

Key Information:

Vendor

Lepture

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-59928?

The Mistune parser, a Python-based Markdown renderer, has a vulnerability that allows attackers to craft specific Markdown documents with numerous repeated or distinct reference-link definitions. This causes the block parser to perform inefficiently, resulting in excessive CPU usage, which can lead to denial of service through resource exhaustion. Users are advised to upgrade to version 3.3.0 or later, where this issue has been rectified.

Affected Version(s)

mistune < 3.3.0

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.