CVE-2026-59923

Severity CVSS v4.0:
Pending analysis
Type:
CWE-79 Cross-Site Scripting (XSS)
Publication date:
08/07/2026
Last modified:
09/07/2026

Description

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, HTMLRenderer.safe_url() does not block percent-encoded javascript URIs, allowing attacker-supplied Markdown links or images to bypass URL protections and execute script in rendered HTML. This issue is fixed in version 3.3.0.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:mistune_project:mistune:*:*:*:*:*:*:*:* 3.3.0 (excluding)