Medium severity6.1NVD Advisory· Published Oct 19, 2017· Updated May 13, 2026

CVE-2017-15612

Description

mistune.py in Mistune 0.7.4 allows XSS via an unexpected newline (such as in java\nscript:) or a crafted email address, related to the escape and autolink functions.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
mistunePyPI	< 0.8	0.8

Affected products

Mistune Project/Mistune
cpe:2.3:a:mistune_project:mistune:0.7.4:*:*:*:*:*:*:*

Patches

d6f0b6402299

Fix bypassing XSS vulnerability.

https://github.com/lepture/mistunejunorouseOct 18, 2017via ghsa

commit

3 files changed · +5 −2

mistune.py+3 −2 modified

@@ -75,8 +75,9 @@ def escape(text, quote=False, smart_amp=True):
 def escape_link(url):
     """Remove dangerous URL schemes like javascript: and escape afterwards."""
     lower_url = url.lower().strip('\x00\x1a \n\r\t')
+
     for scheme in _scheme_blacklist:
-        if lower_url.startswith(scheme):
+        if re.sub(r'[^A-Za-z0-9\/:]+', '', lower_url).startswith(scheme):
             return ''
     return escape(url, quote=True, smart_amp=False)
 
@@ -844,7 +845,7 @@ def autolink(self, link, is_email=False):
         :param link: link content or email address.
         :param is_email: whether this is an email or not.
         """
-        text = link = escape(link)
+        text = link = escape_link(link)
         if is_email:
             link = 'mailto:%s' % link
         return '<a href="%s">%s</a>' % (link, text)

tests/__init__.py+0 −0 added

tests/test_extra.py+2 −0 modified

@@ -23,6 +23,8 @@ def test_safe_links():
         ('javascript:alert`1`', ''),
         # bypass attempt
         ('jAvAsCrIpT:alert`1`', ''),
+        # bypass with newline 
+        ('javasc\nript:alert`1`', ''),
         # javascript pseudo protocol with entities
         ('javascript&colon;alert`1`', 'javascript&amp;colon;alert`1`'),
         # javascript pseudo protocol with prefix (dangerous in Chrome)

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/lepture/mistune/pull/140nvdExploitIssue TrackingPatchThird Party AdvisoryWEB
github.com/advisories/GHSA-hpv5-v8g5-c864ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2017-15612ghsaADVISORY
github.com/lepture/mistune/commit/d6f0b6402299bf5a380e7b4e77bd80e8736630feghsaWEB
github.com/pypa/advisory-database/tree/main/vulns/mistune/PYSEC-2017-80.yamlghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.397
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000