CVE-2026-44898

6.1 MEDIUM

Mistune is a Python Markdown parser with renderers and plugins

Published: 2026-05-26 · Last updated: 2026-05-28

Severity and scoring

CVSS: 6.1 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

Affected products

Vendor	Product
mistune_project	mistune

Description

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, render_toc_ul() builds a <ul> table-of-contents tree from a list of (level, id, text) tuples. Both the id value (used as href="#<id>") and the text value (used as the visible link label) are inserted into <a> tags via a plain Python format string — with no HTML escaping applied to either value. When heading IDs are derived from user-supplied heading text (the standard use-case for readable slug anchors), an attacker can craft a heading whose text breaks out of the href="#..." attribute context, injecting arbitrary HTML tags including <script> blocks directly into the rendered TOC. This vulnerability is fixed in 3.2.1.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-44898
[Other]https://github.com/lepture/mistune/releases/tag/v3.2.1
[Vendor advisory]https://github.com/lepture/mistune/security/advisories/GHSA-6269-cqxg-mhhv
[Vendor advisory]https://github.com/lepture/mistune/security/advisories/GHSA-6269-cqxg-mhhv

Related CVEs

Same vendor

CVE-2026-44899 — Mistune is a Python Markdown parser with renderers and plugins (4.7 MEDIUM)
CVE-2026-44897 — Mistune is a Python Markdown parser with renderers and plugins (6.1 MEDIUM)
CVE-2026-44896 — Mistune is a Python Markdown parser with renderers and plugins (6.1 MEDIUM)
CVE-2026-44708 — Mistune is a Python Markdown parser with renderers and plugins (6.1 MEDIUM)

Same CWE

CVE-2026-12425 — Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in PowerSchool Employee Access ...
CVE-2024-30476 — PowerStore contains a Stored Cross-Site Scripting Vulnerability in the PowerStore Manager (5.4 MEDIUM)
CVE-2026-54198 — Unauthenticated Cross Site Scripting (XSS) in Media LIbrary Assistant <= 3.35 versions (7.1 HIGH)
CVE-2026-54191 — Unauthenticated Cross Site Scripting (XSS) in Pods <= 3.3.8 versions (7.1 HIGH)
CVE-2026-39437 — Unauthenticated Cross Site Scripting (XSS) in Min Max Step Quantity Limits Manager for WooCommerce <= 5.2.2 versions (7.1 HIGH)