Back to overview

CVE-2026-59925

HIGH
7.5
CVSS 3.1
Description
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, long sequences of well-formed double-asterisk or triple-asterisk emphasis pairs around a character cause quadratic work in src/mistune/inline_parser.py because the parser scans forward for matching close markers from every potential opening run, allowing denial of service in default Mistune parsing. This issue is fixed in version 3.3.0.

Metadata

CVE ID
CVE-2026-59925
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-07-07 18:20 UTC
Published
2026-07-08 16:18 UTC
Last updated
2026-07-08 19:44 UTC
Primary CWE
CWE-407
CWE-407: Inefficient Algorithmic Complexity
Vendor / Product
lepture / mistune
Sources
cve.org  ·  NVD

Severity & Metrics

7.5 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SSVC — CISA Coordinator
Exploitation
none
Automatable
yes
Tech. Impact
partial
Affected products (1)
VendorProductPlatformVersions
lepture mistune < 3.3.0
Weakness (CWE)
CWESourceDescription
CWE-1333 cna CWE-1333: Inefficient Regular Expression Complexity
CWE-407 cna CWE-407: Inefficient Algorithmic Complexity
CVSS scores (1)
ScoreSeverityVersionSourceVector
7.5 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References (3)
Back to overview