Lucene search
+L

12 matches found

OSV
OSV
added 3 days ago2 views

OPENSUSE-SU-2026:21339-1 Security update for python-mistune

This update for python-mistune fixes the following issues - CVE-2026-59922: quadratic-time parsing on long runs of some markers in formatting.py can lead to DoS bsc1271117. - CVE-2026-59923: HTMLRenderer.safeurl does not block percent-encoded javascript URIs and allows for XSS bsc1271119. -...

7.5CVSS6.3AI score0.00366EPSS
Exploits8References19
Tenable Nessus
Tenable Nessus
added 2026/07/09 12:0 a.m.8 views

Linux Distros Unpatched Vulnerability : CVE-2026-59930

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, the toc plugin and TableOfContents directive generate heading IDs as predictable...

4.3CVSS6.1AI score0.00128EPSS
Exploits1References3
OSV
OSV
added 2026/05/26 9:16 p.m.7 views

DEBIAN-CVE-2026-44898

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, rendertocul builds a table-of-contents tree from a list of level, id, text tuples. Both the id value used as href="" and the text value used as the visible link label are inserted into tags via a plain Python format...

6.1CVSS5.9AI score0.00228EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/05/26 8:40 p.m.9 views

CVE-2026-44897 Mistune Heading ID Attribute Injection XSS

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, HTMLRenderer.heading builds the opening tag by string-concatenating the id attribute value directly into the HTML — with no call to escape, safeentity, or any other sanitisation function. A double-quote character " in...

6.1CVSS6AI score0.00228EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/05/26 8:40 p.m.40 views

CVE-2026-44897 Mistune Heading ID Attribute Injection XSS

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, HTMLRenderer.heading builds the opening tag by string-concatenating the id attribute value directly into the HTML — with no call to escape, safeentity, or any other sanitisation function. A double-quote character " in...

6.1CVSS0.00228EPSS
Exploits1References2
EUVD
EUVD
added 2026/05/26 8:40 p.m.17 views

EUVD-2026-31994

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, HTMLRenderer.heading builds the opening tag by string-concatenating the id attribute value directly into the HTML — with no call to escape, safeentity, or any other sanitisation function. A double-quote character " in...

6.1CVSS6AI score0.00228EPSS
Exploits1References2
CVE
CVE
added 2026/05/26 8:40 p.m.44 views

CVE-2026-44897

Mistune prior to 3.2.1 constructs the HTML heading tag by appending the id attribute value directly, without escaping. If the heading_id callback returns raw text containing quotes or markup, an attacker can inject arbitrary attributes (e.g., onmouseover, src, href) into the element, enabling XS...

6.1CVSS6AI score0.00228EPSS
Exploits1References2Affected Software1
Debian CVE
Debian CVE
added 2026/05/26 8:40 p.m.10 views

CVE-2026-44897

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, HTMLRenderer.heading builds the opening tag by string-concatenating the id attribute value directly into the HTML — with no call to escape, safeentity, or any other sanitisation function. A double-quote character " in...

6.1CVSS6AI score0.00228EPSS
Exploits1
OSV
OSV
added 2026/05/09 12:13 a.m.6 views

GHSA-V87V-83H2-53W7 Mistune Heading ID Attribute has Injection XSS

Summary HTMLRenderer.heading builds the opening tag by string-concatenating the id attribute value directly into the HTML — with no call to escape, safeentity, or any other sanitisation function. A double-quote character " in the id value terminates the attribute, allowing an attacker to inject...

6.1CVSS6AI score0.00228EPSS
Exploits1References4
Snyk
Snyk
added 2026/05/09 12:13 a.m.12 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the HTMLRenderer heading rendering path in the HTML renderer. An attacker can inject arbitrary HTML by supplying a heading id attribute value that contains quotes and markup. The rendered output can be alter...

6.1CVSS5.8AI score0.00228EPSS
Exploits1References2
Github Security Blog
Github Security Blog
added 2026/05/09 12:13 a.m.13 views

Mistune Heading ID Attribute has Injection XSS

Summary HTMLRenderer.heading builds the opening tag by string-concatenating the id attribute value directly into the HTML — with no call to escape, safeentity, or any other sanitisation function. A double-quote character " in the id value terminates the attribute, allowing an attacker to inject...

6.1CVSS6AI score0.00228EPSS
Exploits1References4Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/09 12:0 a.m.12 views

PT-2026-39330

Name of the Vulnerable Software and Affected Versions mistune versions prior to 3.2.1 Description In the HTMLRenderer.heading function within src/mistune/renderers/html.py, the id attribute of heading tags is constructed by directly concatenating the value into the HTML without sanitization. When...

6.1CVSS6AI score0.00228EPSS
Exploits1References11
Rows per page
Query Builder