rpm package
opensuse/python-mistune&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/python-mistune&distro=openSUSE%20Tumbleweed
Vulnerabilities (6)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-44897 | Med | 6.1 | < 3.2.1-1.1 | 3.2.1-1.1 | May 26, 2026 | Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, HTMLRenderer.heading() builds the opening tag by string-concatenating the id attribute value directly into the HTML — with no call to escape(), safe_entity(), or any other sanitisation function. | |
| CVE-2026-33441 | — | < 3.2.1-1.1 | 3.2.1-1.1 | May 6, 2026 | Rejected reason: This CVE is a duplicate of another CVE: CVE-2026-33079. | ||
| CVE-2026-33079 | Hig | — | < 3.2.1-1.1 | 3.2.1-1.1 | May 6, 2026 | In versions 3.0.0a1 through 3.2.0 of Mistune, there is a ReDoS (Regular Expression Denial of Service) vulnerability in `LINK_TITLE_RE` that allows an attacker who can supply Markdown for parsing to cause denial of service. The regular expression used for parsing link titles conta | |
| CVE-2022-34749 | — | < 3.1.0-1.1 | 3.1.0-1.1 | Jul 25, 2022 | In mistune through 2.0.2, support of inline markup is implemented by using regular expressions that can involve a high amount of backtracking on certain edge cases. This behavior is commonly named catastrophic backtracking. | ||
| CVE-2017-16876 | Med | 6.1 | < 3.0.2-2.5 | 3.0.2-2.5 | Dec 29, 2017 | Cross-site scripting (XSS) vulnerability in the _keyify function in mistune.py in Mistune before 0.8.1 allows remote attackers to inject arbitrary web script or HTML by leveraging failure to escape the "key" argument. | |
| CVE-2017-15612 | Med | 6.1 | < 3.0.2-2.5 | 3.0.2-2.5 | Oct 19, 2017 | mistune.py in Mistune 0.7.4 allows XSS via an unexpected newline (such as in java\nscript:) or a crafted email address, related to the escape and autolink functions. |
- affected < 3.2.1-1.1fixed 3.2.1-1.1
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, HTMLRenderer.heading() builds the opening tag by string-concatenating the id attribute value directly into the HTML — with no call to escape(), safe_entity(), or any other sanitisation function.
- CVE-2026-33441May 6, 2026affected < 3.2.1-1.1fixed 3.2.1-1.1
Rejected reason: This CVE is a duplicate of another CVE: CVE-2026-33079.
- affected < 3.2.1-1.1fixed 3.2.1-1.1
In versions 3.0.0a1 through 3.2.0 of Mistune, there is a ReDoS (Regular Expression Denial of Service) vulnerability in `LINK_TITLE_RE` that allows an attacker who can supply Markdown for parsing to cause denial of service. The regular expression used for parsing link titles conta
- CVE-2022-34749Jul 25, 2022affected < 3.1.0-1.1fixed 3.1.0-1.1
In mistune through 2.0.2, support of inline markup is implemented by using regular expressions that can involve a high amount of backtracking on certain edge cases. This behavior is commonly named catastrophic backtracking.
- affected < 3.0.2-2.5fixed 3.0.2-2.5
Cross-site scripting (XSS) vulnerability in the _keyify function in mistune.py in Mistune before 0.8.1 allows remote attackers to inject arbitrary web script or HTML by leveraging failure to escape the "key" argument.
- affected < 3.0.2-2.5fixed 3.0.2-2.5
mistune.py in Mistune 0.7.4 allows XSS via an unexpected newline (such as in java\nscript:) or a crafted email address, related to the escape and autolink functions.