Sergeykochanov

**Name of the Vulnerable Software and Affected Versions** Mistune (affected versions not specified) **Description** The `render figure()` function in `src/mistune/directives/image.py` concatenates `figclass` and `figwidth` options directly into HTML attributes without escaping. This allows attribute injection and Cross-Site Scripting (XSS), a technique where malicious scripts are injected into trusted websites, even when `HTMLRenderer(escape=True)` is enabled, as these specific values bypass the inline renderer. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.