CVE-2026-59926
Received Received - Intake

Mistune Markdown Parser Admonition Attribute Injection Vulnerability

Vulnerability report for CVE-2026-59926, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, render_admonition() in src/mistune/directives/admonition.py concatenates the Admonition directive :class: option into the HTML class attribute without escaping, allowing attribute injection and cross-site scripting even when HTMLRenderer escape mode is enabled. This issue is fixed in version 3.2.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
lepture mistune 3.2.1
lepture mistune 3.3.0
lepture mistune to 3.2.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-59926 is a Cross-Site Scripting (XSS) vulnerability in the Mistune Python Markdown parser, specifically in the render_admonition() function of the Admonition directive.

The vulnerability arises because the :class: option is concatenated directly into the HTML class attribute without proper escaping, allowing attackers to inject malicious attributes or scripts.

This happens even when the HTMLRenderer escape mode is enabled, making it possible to execute arbitrary scripts in the context of the rendered markdown.

The directive name is validated against a whitelist, but the class option is taken from raw user input, which is not escaped, leading to this security issue.

The issue was fixed in Mistune version 3.2.1 by properly escaping the class attribute before rendering.

Impact Analysis

This vulnerability can allow attackers to perform Cross-Site Scripting (XSS) attacks by injecting malicious scripts into the HTML output generated by Mistune.

If you use Mistune to render markdown content that includes user input, an attacker could exploit this flaw to execute arbitrary JavaScript in the browsers of users viewing the rendered content.

Such XSS attacks can lead to session hijacking, defacement, theft of sensitive information, or other malicious actions performed in the context of the affected web application.

The vulnerability has a moderate severity score (CVSS 5.3), indicating a significant risk especially in web applications that render untrusted markdown content.

Detection Guidance

This vulnerability affects Mistune versions 3.2.0 and earlier, specifically in the render_admonition() function where the :class: option is not properly escaped, allowing XSS attacks.

To detect if your system is vulnerable, first check the installed Mistune version.

  • Run the command: pip show mistune
  • Or, if using pip3: pip3 show mistune

If the version is 3.2.0 or earlier, your system is vulnerable.

Additionally, you can search your codebase or markdown files for usage of the Admonition directive with the :class: option to identify potential injection points.

Mitigation Strategies

The primary mitigation step is to upgrade Mistune to version 3.2.1 or later, where this vulnerability has been fixed.

If upgrading immediately is not possible, avoid using the Admonition directive's :class: option or sanitize any user input that may be passed to it to prevent injection.

Review your markdown rendering configuration to ensure that HTML escaping is enabled, although this alone does not fully mitigate the issue.

Compliance Impact

The vulnerability in Mistune allows for Cross-Site Scripting (XSS) attacks due to improper escaping of user input in HTML class attributes. XSS vulnerabilities can lead to unauthorized script execution in users' browsers, potentially exposing sensitive data or enabling session hijacking.

Such security weaknesses can impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information against unauthorized access and disclosure. Failure to mitigate XSS vulnerabilities may result in non-compliance due to inadequate security controls.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59926. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart