Mistune: XSS via unescaped figclass/figwidth in Figure directive

...

CVE-2026-44896 Mistune: XSS via unescaped figclass/figwidth in Figure directive

Mistune is a Python Markdown parser with renderers and plugins. In 3.2.0 and realier, in src/mistune/directives/image.py, the renderfigure function concatenates figclass and figwidth options directly into HTML attributes without escaping. This allows attribute injection and XSS even when...

CVE-2026-44896 Mistune: XSS via unescaped figclass/figwidth in Figure directive

Mistune is a Python Markdown parser with renderers and plugins. In 3.2.0 and realier, in src/mistune/directives/image.py, the renderfigure function concatenates figclass and figwidth options directly into HTML attributes without escaping. This allows attribute injection and XSS even when...

CVE-2026-44896

Mistune (Python Markdown parser) contains an XSS flaw in the image figure directive. In versions 3.2.0 and earlier, render_figure() concatenates figclass and figwidth into HTML attributes without escaping, allowing attribute injection and XSS even when HTMLRenderer(escape=True) is enabled, becaus...

GHSA-58CW-G322-P94V Mistune has XSS via unescaped figclass/figwidth in Figure directive

In src/mistune/directives/image.py, the renderfigure function concatenates figclass and figwidth options directly into HTML attributes without escaping lines 152-168. This allows attribute injection and XSS even when HTMLRendererescape=True is used, because these values bypass the inline renderer...

Mistune has XSS via unescaped figclass/figwidth in Figure directive

In src/mistune/directives/image.py, the renderfigure function concatenates figclass and figwidth options directly into HTML attributes without escaping lines 152-168. This allows attribute injection and XSS even when HTMLRendererescape=True is used, because these values bypass the inline renderer...