These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
A cross-site scripting (XSS) vulnerability exists in the Mistune Python Markdown parser prior to version 3.2.1. The Image directive plugin uses a permissive regular expression (`^d+(?:.d*)?`) to validate `:width:` and `:height:` options, accepting any string that begins with digits. When a non-integer value passes this check, `render_block_image()` inserts it unescaped into a `style` attribute. An attacke [truncated]
Mistune is a Python Markdown parser with renderers and plugins. Prior to version 3.2.1, the render_toc_ul() function constructs a <ul> table-of-contents tree from a list of (level, id, text) tuples. Both the id value (used as href="#<id>") and the text value (used as the visible link label) are inserted into <a> tags via a plain Python format string without HTML escaping. When heading IDs are deri [truncated]
A cross-site scripting (XSS) vulnerability exists in Mistune, a Python Markdown parser, affecting versions 3.2.0 and earlier. The vulnerability resides in the `render_figure()` function within `src/mistune/directives/image.py`, where `figclass` and `figwidth` directive options are concatenated directly into HTML attributes without proper escaping. This bypasses the `escape=True` protection in `HTMLRendere [truncated]