CVE-2026-44896 lepture CVE debrief

Who should care

Organizations using Mistune 3.2.0 or earlier to render untrusted Markdown content in web applications, particularly those relying on `HTMLRenderer(escape=True)` as a security control. Developers building documentation systems, content management platforms, or any application processing user-supplied Markdown with figure directives.

Technical summary

The vulnerability stems from improper output encoding in Mistune's figure directive renderer. When processing Markdown figure directives with `figclass` or `figwidth` options, the `render_figure()` function directly interpolates these values into HTML attribute strings without HTML entity encoding. This occurs outside the normal inline rendering path, causing the `escape=True` parameter of `HTMLRenderer` to be ineffective for these specific attributes. Attackers can exploit this by crafting Markdown content containing figure directives with malicious payloads in class or width specifications, resulting in arbitrary HTML attribute injection when the content is rendered.

Defensive priority

medium

Recommended defensive actions

• Upgrade Mistune to a version newer than 3.2.0 that contains the security fix
• Review application code for any custom figure directive implementations that may replicate the vulnerable pattern
• Implement Content Security Policy (CSP) headers to mitigate impact of potential XSS vectors
• Audit Markdown content sources for untrusted input that may leverage figure directives
• Consider input validation or sanitization for figclass and figwidth values before Markdown processing if immediate patching is not feasible

Evidence notes

Vulnerability confirmed via GitHub Security Advisory GHSA-58cw-g322-p94v. Affected component: `src/mistune/directives/image.py`, `render_figure()` function. Affected versions: 3.2.0 and earlier. CVSS 4.0 vector: AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N. CWE-79 (Improper Neutralization of Input During Web Page Generation).

Official resources