CVE-2026-59922

NameCVE-2026-59922
DescriptionMistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, a run of closed tilde, equals-sign, or caret marker pairs around a character causes quadratic work in src/mistune/plugins/formatting.py when the strikethrough, mark, or insert plugin scans for matching markers from each possible start position, allowing denial of service through CPU exhaustion. This issue is fixed in version 3.3.0.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
mistune (PTS)bullseye0.8.4-4vulnerable
bookworm2.0.4-1vulnerable
trixie3.1.3-1vulnerable
forky, sid3.1.4-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
mistunesource(unstable)(unfixed)

Notes

https://github.com/lepture/mistune/security/advisories/GHSA-c8j7-8cv4-2xmq
Fixed by: https://github.com/lepture/mistune/commit/96d0f57f8fe9eeb06bb4cff521962a27d7c402e7 (v3.3.0)

Search for package or bug name: Reporting problems