Python Markdown Parser Vulnerability in Mistune by Lepture
CVE-2026-59929

6.1MEDIUM

Key Information:

Vendor

Lepture

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-59929?

Mistune, a Python Markdown parser, contains a flaw in the safe_url filter that inadvertently allows certain legacy or chained schemes, such as feed:, view-source:, jar:, and others, to bypass security measures prior to version 3.3.0. This vulnerability can lead to the potential execution of harmful scripts in user agents. The issue is resolved in version 3.3.0, but earlier versions can expose users to security risks.

Affected Version(s)

mistune < 3.3.0

References

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.