CVE-2026-44708

Name of the Vulnerable Software and Affected Versions Mistune (affected versions not specified)

Description The math plugin in Mistune fails to sanitize user-supplied content when rendering inline math ($...$) and block math ($$...$$). The plugin concatenates raw input directly into the HTML output, ignoring the escape=True flag intended to ensure all user-controlled text is sanitized before reaching the DOM. This occurs within the render inline math() and render block math() functions located in src/mistune/plugins/math.py, which do not call the necessary escaping utilities or check the renderer's escape status. Consequently, an attacker can bypass security controls to execute Cross-Site Scripting (XSS) attacks, potentially allowing the exfiltration of session cookies, mutation of page content, or redirection of users.

Recommendations As a temporary workaround, consider disabling the math plugin until a patch is available.