Mistune Project

Mistune

17 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
Exploit
  • EPSS 0.23%
  • Veröffentlicht 26.05.2026 20:40:42
  • Zuletzt bearbeitet 28.05.2026 13:42:42

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, HTMLRenderer.heading() builds the opening <hN> tag by string-concatenating the id attribute value directly into the HTML — with no call to escape(), safe_entity(), or any...

Exploit
  • EPSS 0.23%
  • Veröffentlicht 26.05.2026 20:39:18
  • Zuletzt bearbeitet 28.05.2026 13:44:30

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, the mistune math plugin renders inline math ($...$) and block math ($$...$$) by concatenating the raw user-supplied content directly into the HTML output without any HTML...

Exploit
  • EPSS 0.23%
  • Veröffentlicht 26.05.2026 20:36:40
  • Zuletzt bearbeitet 28.05.2026 13:38:38

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, the Image directive plugin validates the :width: and :height: options with a regex compiled as _num_re = re.compile(r"^\d+(?:\.\d*)?"). When the validated value is not a ...

  • EPSS 0.2%
  • Veröffentlicht 26.05.2026 20:33:38
  • Zuletzt bearbeitet 09.06.2026 00:16:53

Mistune is a Python Markdown parser with renderers and plugins. In 3.2.0 and earlier, in src/mistune/directives/image.py, the render_figure() function concatenates figclass and figwidth options directly into HTML attributes without escaping. This all...

  • EPSS 1.22%
  • Veröffentlicht 25.07.2022 23:15:07
  • Zuletzt bearbeitet 21.11.2024 07:10:06

In mistune through 2.0.2, support of inline markup is implemented by using regular expressions that can involve a high amount of backtracking on certain edge cases. This behavior is commonly named catastrophic backtracking.

  • EPSS 2.22%
  • Veröffentlicht 29.12.2017 15:29:00
  • Zuletzt bearbeitet 13.05.2026 00:24:29

Cross-site scripting (XSS) vulnerability in the _keyify function in mistune.py in Mistune before 0.8.1 allows remote attackers to inject arbitrary web script or HTML by leveraging failure to escape the "key" argument.

Exploit
  • EPSS 0.92%
  • Veröffentlicht 19.10.2017 08:29:00
  • Zuletzt bearbeitet 13.05.2026 00:24:29

mistune.py in Mistune 0.7.4 allows XSS via an unexpected newline (such as in java\nscript:) or a crafted email address, related to the escape and autolink functions.