CVE-2026-59924

NameCVE-2026-59924
DescriptionMistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, Include.parse() joins and normalizes user-supplied include paths without verifying that the result remains within the intended markdown directory, allowing crafted include paths to access files outside that directory when markdown files are processed using md.read(). This issue is fixed in version 3.3.0.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
mistune (PTS)bullseye0.8.4-4vulnerable
bookworm2.0.4-1vulnerable
trixie3.1.3-1vulnerable
forky, sid3.1.4-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
mistunesource(unstable)(unfixed)

Notes

https://github.com/lepture/mistune/security/advisories/GHSA-r4rv-85jg-w4mf
https://github.com/lepture/mistune/security/advisories/GHSA-r4rv-85jg-w4mf
Fixed by: https://github.com/lepture/mistune/commit/1bef343ade163fc3bb95572b15be720084cdb993 (v3.3.0)

Search for package or bug name: Reporting problems