CVE-2026-59927

NameCVE-2026-59927
DescriptionMistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, the Include directive in src/mistune/directives/include.py detects only direct self-includes and not indirect cycles, allowing two markdown files that include each other to trigger unbounded recursion, raise RecursionError, and crash the rendering request. This issue is fixed in version 3.3.0.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
mistune (PTS)bullseye0.8.4-4vulnerable
bookworm2.0.4-1vulnerable
trixie3.1.3-1vulnerable
forky, sid3.1.4-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
mistunesource(unstable)(unfixed)

Notes

https://github.com/lepture/mistune/security/advisories/GHSA-8mpj-m6qm-5qr8
Fixed by: https://github.com/lepture/mistune/commit/1bef343ade163fc3bb95572b15be720084cdb993 (v3.3.0)

Search for package or bug name: Reporting problems