CVE-2026-59927
Received Received - Intake

Include Directive Recursion Flaw in Mistune

Vulnerability report for CVE-2026-59927, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, the Include directive in src/mistune/directives/include.py detects only direct self-includes and not indirect cycles, allowing two markdown files that include each other to trigger unbounded recursion, raise RecursionError, and crash the rendering request. This issue is fixed in version 3.3.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
lepture mistune to 3.3.0 (exc)
lepture mistune 3.3.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-674 The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
CWE-755 The product does not handle or incorrectly handles an exceptional condition.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-59927 is a vulnerability in the Mistune Python Markdown parser's Include directive. The issue occurs because the directive only detects direct self-includes but fails to detect indirect cycles where two markdown files include each other. This mutual inclusion causes unbounded recursion, which eventually raises a RecursionError and crashes the rendering process.

Impact Analysis

This vulnerability can lead to a denial of service (DoS) by crashing the renderer and any application using Mistune to process user-supplied markdown. An attacker can exploit this by uploading two markdown files that include each other, triggering unbounded recursion and causing the application to crash due to a RecursionError.

Detection Guidance

This vulnerability can be detected by testing whether the Mistune library in use is vulnerable to indirect include cycles between markdown files. Specifically, you can attempt to create two markdown files that include each other (e.g., a.md includes b.md and b.md includes a.md) and then process them with the Mistune parser to see if it triggers a RecursionError or causes the renderer to crash.

Since the issue arises from unbounded recursion caused by indirect cycles in included markdown files, detection involves verifying if the Mistune version is prior to 3.3.0 and testing for crashes or RecursionErrors when processing mutually including markdown files.

There are no specific network or system commands provided in the resources to detect this vulnerability automatically.

Mitigation Strategies

The immediate and recommended mitigation is to upgrade the Mistune library to version 3.3.0 or later, where this vulnerability has been fixed.

The fix in version 3.3.0 includes validation of include paths to prevent directory traversal, absolute path inclusion, and circular references by tracking included files in a stack and detecting cycles to stop further inclusion.

If upgrading is not immediately possible, avoid processing untrusted or attacker-controlled markdown files that could include each other and trigger the recursion.

Compliance Impact

The vulnerability in Mistune allows unbounded recursion leading to a denial of service (DoS) by crashing the rendering process. This primarily impacts the availability of applications using Mistune to process markdown files.

While the vulnerability affects availability, there is no indication from the provided information that it impacts confidentiality or integrity of data, which are critical factors in compliance with standards like GDPR or HIPAA.

Therefore, this vulnerability may pose a risk to service availability but does not directly affect compliance with data protection regulations that focus on personal data confidentiality and integrity.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59927. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart