CVE-2026-59922
HIGHMistune plugins/formatting: quadratic-time parsing on long runs of `~~x~~`, `==x==`, and `^^x^^` markers (strikethrough / mark / insert)
Title source: cnaDescription
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, a run of closed tilde, equals-sign, or caret marker pairs around a character causes quadratic work in src/mistune/plugins/formatting.py when the strikethrough, mark, or insert plugin scans for matching markers from each possible start position, allowing denial of service through CPU exhaustion. This issue is fixed in version 3.3.0.
References (3)
Core 3
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/lepture/mistune/security/advisories/GHSA-c8j7-8cv4-2xmq
X_Refsource_Misc x_refsource_misc
https://github.com/lepture/mistune/commit/96d0f57f8fe9eeb06bb4cff521962a27d7c402e7
X_Refsource_Misc x_refsource_misc
https://github.com/lepture/mistune/releases/tag/v3.3.0
Scores
CVSS v3
7.5
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-1333
CWE-407
Status
published
Products (1)
lepture/mistune
< 3.3.0
Published
Jul 08, 2026
Tracked Since
Jul 08, 2026