mistune

PyPI4 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting mistunepage 1 of 1

CVE-2017-15612MEDIUMCVSS 6.1EG 6.1✓ Fixed in 0.8
2017-10-19
vulnerable: 0.1.0 ... 0.7.4 (14 versions)
mistune.py in Mistune 0.7.4 allows XSS via an unexpected newline (such as in java\nscript:) or a crafted email address, related to the escape and autolink functions.
CVE-2017-16876MEDIUMCVSS 6.1EG 6.1✓ Fixed in 0.8.1
2017-12-29
vulnerable: 0.1.0 ... 0.8 (15 versions)
Cross-site scripting (XSS) vulnerability in the _keyify function in mistune.py in Mistune before 0.8.1 allows remote attackers to inject arbitrary web script or HTML by leveraging failure to escape the "key" argument.
CVE-2022-34749HIGHCVSS 7.5EG 7.5✓ Fixed in 2.0.3
2022-07-25
vulnerable: 2.0.0 ... 2.0.2 (10 versions)
In mistune through 2.0.2, support of inline markup is implemented by using regular expressions that can involve a high amount of backtracking on certain edge cases. This behavior is commonly named catastrophic backtracking.
CVE-2026-33079HIGHCVSS 8.7EG 8.7✓ Fixed in 3.2.1
2026-05-06
vulnerable: 3.0.0 ... 3.2.0 (17 versions)
In versions 3.0.0a1 through 3.2.0 of Mistune, there is a ReDoS (Regular Expression Denial of Service) vulnerability in `LINK_TITLE_RE` that allows an attacker who can supply Markdown for parsing to cause denial of service. The regular expr…

Check whether mistune is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for mistune CVEs against the assets you own.

Start Free Scan →