PT-2026-56511 · Pypi · Mistune
Published
2026-07-08
·
Updated
2026-07-08
·
CVE-2026-59926
CVSS v4.0
5.3
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Mistune versions prior to 3.2.1
Description
The
render admonition() function in src/mistune/directives/admonition.py concatenates the :class: option of the Admonition directive into the HTML class attribute without proper escaping. This allows for attribute injection and cross-site scripting (XSS), a technique where malicious scripts are injected into trusted websites, even when the HTMLRenderer escape mode is active.Recommendations
Update to version 3.2.1.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mistune