CVE Catalog

CVE-2026-44896

MediumCVSS 6.1
Published: Updated: Translated: NVD NIST

Summary

Mistune is a Python Markdown parser that in versions 3.2.0 and earlier has a vulnerability in the render_figure() function in src/mistune/directives/image.py. This function concatenates figclass and figwidth options without proper escaping, leading to attribute injection and XSS vulnerabilities.

Risk Assessment

This vulnerability can lead to serious security threats, allowing attackers to inject malicious code into applications, potentially resulting in data theft or system takeover.

Recommendation

It is recommended to upgrade to version 3.2.1 or later, which contains a patch that addresses this vulnerability.

Original NVD description (English source)

Mistune is a Python Markdown parser with renderers and plugins. In 3.2.0 and earlier, in src/mistune/directives/image.py, the render_figure() function concatenates figclass and figwidth options directly into HTML attributes without escaping. This allows attribute injection and XSS even when HTMLRenderer(escape=True) is used, because these values bypass the inline renderer. Version 3.2.1 contains a patch.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS