PT-2026-56511 · Pypi · Mistune

Published

2026-07-08

·

Updated

2026-07-08

·

CVE-2026-59926

CVSS v4.0

5.3

Medium

VectorAV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Name of the Vulnerable Software and Affected Versions Mistune versions prior to 3.2.1
Description The render admonition() function in src/mistune/directives/admonition.py concatenates the :class: option of the Admonition directive into the HTML class attribute without proper escaping. This allows for attribute injection and cross-site scripting (XSS), a technique where malicious scripts are injected into trusted websites, even when the HTMLRenderer escape mode is active.
Recommendations Update to version 3.2.1.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-59926

Affected Products

Mistune