PT-2026-56513 · Lepture · Mistune

Published

2026-07-08

·

Updated

2026-07-08

·

CVE-2026-59930

CVSS v3.1

4.3

Medium

VectorAV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, the toc plugin and TableOfContents directive generate heading IDs as predictable toc N values without slugifying the heading text, allowing attacker-controlled id="toc N" content to collide with generated anchors and redirect same-page navigation, CSS selectors, or JavaScript handlers. This issue is fixed in version 3.3.0.

Fix

Insufficient Verification of Data Authenticity

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-59930

Affected Products

Mistune