CVE-2026-59924
Received Received - Intake

Path Traversal in Mistune Markdown Parser

Vulnerability report for CVE-2026-59924, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, Include.parse() joins and normalizes user-supplied include paths without verifying that the result remains within the intended markdown directory, allowing crafted include paths to access files outside that directory when markdown files are processed using md.read(). This issue is fixed in version 3.3.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
lepture mistune to 3.3.0 (exc)
lepture mistune 3.1.4

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-59924 is a path traversal vulnerability in the Mistune Python Markdown parser, specifically affecting versions 3.1.4 and earlier.

The vulnerability occurs because the Include.parse() method joins and normalizes user-supplied include paths without verifying that the resulting path remains within the intended markdown directory.

This allows an attacker to craft include paths with sequences like "../" to access files outside the intended directory when markdown files are processed using md.read().

An attacker could exploit this by creating a malicious markdown file that includes relative paths pointing to sensitive system files, which would then be read during processing.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive files on the system where Mistune is used to process markdown files.

Because the vulnerability allows reading arbitrary files outside the intended directory, an attacker could access confidential information such as configuration files, credentials, or other sensitive data.

The impact is considered moderate with a CVSS score of 5.9, as exploitation requires network access but no privileges or user interaction.

Detection Guidance

This vulnerability can be detected by identifying if your system is using the mistune Python package version 3.1.4 or earlier with the Include directive enabled. Specifically, look for markdown files processed by mistune that contain crafted include paths with directory traversal sequences such as "../".

To detect exploitation attempts or presence of vulnerable versions, you can search for markdown files containing suspicious include directives or monitor logs for file access outside the intended markdown directory.

Example commands to help detect this vulnerability or exploitation attempts include:

  • Search for markdown files with include directives containing "../": grep -r --include="*.md" "include" . | grep "\.\./"
  • Check the installed mistune package version in your Python environment: pip show mistune
  • Monitor file access logs or audit logs for unexpected reads outside markdown directories, especially files accessed via mistune processes.
Mitigation Strategies

The immediate mitigation step is to upgrade the mistune package to version 3.3.0 or later, where this vulnerability is fixed.

This update includes validation of include paths to ensure they remain within the intended markdown directory, preventing path traversal attacks.

Additionally, review and restrict markdown files that use the Include directive to trusted sources only, and consider applying input validation or sanitization on user-supplied markdown content.

Compliance Impact

CVE-2026-59924 is a path traversal vulnerability that allows an attacker to read arbitrary files outside the intended markdown directory by exploiting the Include.parse() method in the Mistune Python package.

This unauthorized file access could potentially expose sensitive or confidential information if such data is stored on the system and accessible via the vulnerable markdown processing.

Exposure of sensitive data may lead to non-compliance with data protection regulations such as GDPR or HIPAA, which require strict controls over access to personal or protected health information.

Therefore, organizations using affected versions of Mistune without the fix may face increased risk of violating these standards due to the possibility of unauthorized data disclosure.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59924. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart