CVE-2026-49851 | Mistune is a Python Markdown parser with renderers and plugi… | CVSS 8.7 HIGH

Description

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, Mistune is vulnerable to a CPU exhaustion DoS due to superlinear (approximately O(n²)) behavior in parse_link_text. When parsing Markdown containing many consecutive [ characters, parse_link_text repeatedly scans the input using a regex search inside a loop. Each iteration re-scans a large portion of the remaining string, resulting in quadratic-time behavior. An attacker-controlled Markdown input can therefore trigger excessive CPU usage with a very small payload. This vulnerability is fixed in 3.3.0.

Metadata

CVE ID: CVE-2026-49851
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-06-01 22:03 UTC
Published: 2026-06-24 17:05 UTC
Last updated: 2026-06-24 17:05 UTC
Primary CWE: CWE-400
CWE-400: Uncontrolled Resource Consumption
Vendor / Product: lepture / mistune
Sources: cve.org · NVD

Severity & Metrics

8.7 HIGH CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected products (1)

Vendor	Product	Platform	Versions
lepture	mistune	—	< 3.3.0

Weakness (CWE)

CWE	Source	Description
CWE-400	cna	CWE-400: Uncontrolled Resource Consumption
CWE-407	cna	CWE-407: Inefficient Algorithmic Complexity
CWE-770	cna	CWE-770: Allocation of Resources Without Limits or Throttling

CVSS scores (1)

Score	Severity	Version	Source	Vector
8.7	HIGH	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References (1)

https://github.com/lepture/mistune/security/advisories/GHSA-qcq2-496w-v96p https://github.com/lepture/mistune/security/advisories/GHSA-qcq2-496w-v96p