CVE-2026-44896

Name of the Vulnerable Software and Affected Versions Mistune (affected versions not specified)

Description The render figure() function in src/mistune/directives/image.py concatenates figclass and figwidth options directly into HTML attributes without escaping. This allows attribute injection and Cross-Site Scripting (XSS), a technique where malicious scripts are injected into trusted websites, even when HTMLRenderer(escape=True) is enabled, as these specific values bypass the inline renderer.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.