Python Markdown Parser Vulnerability in Mistune Affects Various Applications
CVE-2026-59930

4.3MEDIUM

Key Information:

Vendor

Lepture

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-59930?

The Mistune Markdown parser has a vulnerability in its toc plugin and TableOfContents directive that enables the generation of predictable heading IDs (toc_N). This behavior allows attackers to create conflicting IDs that collide with generated anchors on the same page. Such manipulation can compromise the integrity of navigation, affecting CSS selectors or JavaScript handlers and potentially leading to unpredictable behavior within affected applications. This issue has been rectified in version 3.3.0 of Mistune.

Affected Version(s)

mistune < 3.3.0

References

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.