CVE Catalog

CVE-2026-49851

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.35%

27th percentile - higher than 27% of all known CVEs

Summary

Mistune is a Python Markdown parser. Prior to version 3.3.0, it is vulnerable to a CPU exhaustion DoS due to quadratic complexity in the parse_link_text function. Processing many consecutive [ characters in Markdown input causes repeated scanning, leading to excessive CPU usage even with a small payload.

Risk Assessment

An attacker can send crafted Markdown input causing significant slowdown or complete denial of service on servers or applications using the vulnerable Mistune library.

Recommendation

Immediately update Mistune to version 3.3.0 or later, which contains the fix for this vulnerability.

Original NVD description (English source)

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, Mistune is vulnerable to a CPU exhaustion DoS due to superlinear (approximately O(n²)) behavior in parse_link_text. When parsing Markdown containing many consecutive [ characters, parse_link_text repeatedly scans the input using a regex search inside a loop. Each iteration re-scans a large portion of the remaining string, resulting in quadratic-time behavior. An attacker-controlled Markdown input can therefore trigger excessive CPU usage with a very small payload. This vulnerability is fixed in 3.3.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS