CVE-2026-59926

MEDIUM

Mistune: XSS via unescaped class option in Admonition directive

Title source: cna
STIX 2.1

Description

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, render_admonition() in src/mistune/directives/admonition.py concatenates the Admonition directive :class: option into the HTML class attribute without escaping, allowing attribute injection and cross-site scripting even when HTMLRenderer escape mode is enabled. This issue is fixed in version 3.2.1.

Scores

CVSS v4 5.3
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Details

CWE
CWE-79
Status published
Products (1)
lepture/mistune < 3.2.1
Published Jul 08, 2026
Tracked Since Jul 08, 2026