5 matches found
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the safeurl process. An attacker can inject malicious URLs into rendered href and src attributes by crafting links that use legacy or chained schemes, potentially leading to script execution in affected user...
CVE-2026-59929
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, the safeurl filter in src/mistune/renderers/html.py blocks only javascript:, vbscript:, file:, and data: schemes, allowing legacy or chained schemes such as feed:, view-source:, jar:, livescript:, mocha:, ms-its:, mk:...
CVE-2026-59929 Mistune renderers/html.safe_url: HARMFUL_PROTOCOLS list misses legacy and chained schemes that historically chain to `javascript:` execution
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, the safeurl filter in src/mistune/renderers/html.py blocks only javascript:, vbscript:, file:, and data: schemes, allowing legacy or chained schemes such as feed:, view-source:, jar:, livescript:, mocha:, ms-its:, mk:...
CVE-2026-59929
Mistune is a Python Markdown parser. CVE-2026-59929 affects the safe_url filter in src/mistune/renderers/html.py prior to version 3.3.0, which blocks only javascript:, vbscript:, file:, and data: schemes. This allowed legacy or chained schemes such as feed:, view-source:, jar:, livescript:, mocha...
PT-2026-56512
Name of the Vulnerable Software and Affected Versions Mistune versions prior to 3.3.0 Description The safe url filter in src/mistune/renderers/html.py fails to block several legacy or chained URI schemes. While it restricts javascript:, vbscript:, file:, and data:, it allows schemes such as feed:...