VYPR
Medium severity6.1GHSA Advisory· Published May 26, 2026· Updated Jun 9, 2026

CVE-2026-44896

CVE-2026-44896

Description

Mistune is a Python Markdown parser with renderers and plugins. In 3.2.0 and earlier, in src/mistune/directives/image.py, the render_figure() function concatenates figclass and figwidth options directly into HTML attributes without escaping. This allows attribute injection and XSS even when HTMLRenderer(escape=True) is used, because these values bypass the inline renderer. Version 3.2.1 contains a patch.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
mistunePyPI
< 3.2.13.2.1

Affected products

5

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.