Medium severity6.1NVD Advisory· Published Dec 29, 2017· Updated May 13, 2026

CVE-2017-16876

Description

Cross-site scripting (XSS) vulnerability in the _keyify function in mistune.py in Mistune before 0.8.1 allows remote attackers to inject arbitrary web script or HTML by leveraging failure to escape the "key" argument.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
mistunePyPI	< 0.8.1	0.8.1

Affected products

Mistune Project/Mistune
cpe:2.3:a:mistune_project:mistune:*:*:*:*:*:*:*:*
Range: <0.8.1
Fedoraproject/Fedora
cpe:2.3:o:fedoraproject:fedora:26:*:*:*:*:*:*:*

Patches

5f06d724bc05

Fix CVE-2017-16876

https://github.com/lepture/mistuneHsiaoming YangNov 20, 2017via ghsa

commit

1 file changed · +5 −3

mistune.py+5 −3 modified

@@ -11,7 +11,7 @@
 import re
 import inspect
 
-__version__ = '0.8'
+__version__ = '0.8.1'
 __author__ = 'Hsiaoming Yang <me@lepture.com>'
 __all__ = [
     'BlockGrammar', 'BlockLexer',
@@ -48,7 +48,8 @@ def _pure_pattern(regex):
 
 
 def _keyify(key):
-    return _key_pattern.sub(' ', key.lower())
+    key = escape(key.lower(), quote=True)
+    return _key_pattern.sub(' ', key)
 
 
 def escape(text, quote=False, smart_amp=True):
@@ -445,7 +446,8 @@ class InlineGrammar(object):
     inline_html = re.compile(
         r'^(?:%s|%s|%s)' % (
             r'<!--[\s\S]*?-->',
-            r'<(\w+%s)((?:%s)*?)\s*>([\s\S]*?)<\/\1>' % (_valid_end, _valid_attr),
+            r'<(\w+%s)((?:%s)*?)\s*>([\s\S]*?)<\/\1>' % (
+                _valid_end, _valid_attr),
             r'<\w+%s(?:%s)*?\s*\/?>' % (_valid_end, _valid_attr),
         )
     )

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/lepture/mistune/commit/5f06d724bc05580e7f203db2d4a4905fc1127f98nvdPatchThird Party AdvisoryWEB
bugzilla.redhat.com/show_bug.cginvdIssue TrackingThird Party AdvisoryVDB EntryWEB
github.com/advisories/GHSA-98gj-wwxm-cj3hghsaADVISORY
github.com/lepture/mistune/blob/master/CHANGES.rstnvdRelease NotesThird Party AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2017-16876ghsaADVISORY
github.com/pypa/advisory-database/tree/main/vulns/mistune/PYSEC-2017-18.yamlghsaWEB
lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NUR3GMHQBMA3UC4PFMCK6GCLOQC4LQQCghsaWEB
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NUR3GMHQBMA3UC4PFMCK6GCLOQC4LQQC/nvd

News mentions

No linked articles in our index yet.

cvss	0.397
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000