PatchSiren

lepture CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH lepture CVE published 2026-06-24

CVE-2026-49851

CVE-2026-49851 is a high-severity vulnerability in Mistune, a Python Markdown parser. Prior to version 3.3.0, Mistune is vulnerable to a CPU exhaustion DoS due to superlinear behavior in the parse_link_text function. This vulnerability can be triggered by an attacker-controlled Markdown input with a small payload, leading to excessive CPU usage. The vulnerability is fixed in version 3.3.0. This issue has [truncated]

MEDIUM lepture CVE published 2026-05-26

CVE-2026-44899

A cross-site scripting (XSS) vulnerability exists in the Mistune Python Markdown parser prior to version 3.2.1. The Image directive plugin uses a permissive regular expression (`^d+(?:.d*)?`) to validate `:width:` and `:height:` options, accepting any string that begins with digits. When a non-integer value passes this check, `render_block_image()` inserts it unescaped into a `style` attribute. An attacke [truncated]

MEDIUM lepture CVE published 2026-05-26

CVE-2026-44898

Mistune is a Python Markdown parser with renderers and plugins. Prior to version 3.2.1, the render_toc_ul() function constructs a <ul> table-of-contents tree from a list of (level, id, text) tuples. Both the id value (used as href=&#34;#<id>&#34;) and the text value (used as the visible link label) are inserted into <a> tags via a plain Python format string without HTML escaping. When heading IDs are deri [truncated]

MEDIUM lepture CVE published 2026-05-26

CVE-2026-44896

A cross-site scripting (XSS) vulnerability exists in Mistune, a Python Markdown parser, affecting versions 3.2.0 and earlier. The vulnerability resides in the `render_figure()` function within `src/mistune/directives/image.py`, where `figclass` and `figwidth` directive options are concatenated directly into HTML attributes without proper escaping. This bypasses the `escape=True` protection in `HTMLRendere [truncated]

HIGH lepture CVE published 2026-05-06

CVE-2026-33079

CVE-2026-33079 is a ReDoS (Regular Expression Denial of Service) vulnerability in Mistune, a Python Markdown parser. The vulnerability affects versions 3.0.0a1 through 3.2.0 and allows an attacker who can supply Markdown for parsing to cause denial of service. The regular expression used for parsing link titles contains overlapping alternatives that can trigger catastrophic backtracking. A small crafted i [truncated]