Back to overview

CVE-2026-59927

MEDIUM
5.3
CVSS 3.1
Description
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, the Include directive in src/mistune/directives/include.py detects only direct self-includes and not indirect cycles, allowing two markdown files that include each other to trigger unbounded recursion, raise RecursionError, and crash the rendering request. This issue is fixed in version 3.3.0.

Metadata

CVE ID
CVE-2026-59927
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-07-07 18:20 UTC
Published
2026-07-08 16:24 UTC
Last updated
2026-07-08 19:45 UTC
Primary CWE
CWE-674
CWE-674: Uncontrolled Recursion
Vendor / Product
lepture / mistune
Sources
cve.org  ·  NVD

Severity & Metrics

5.3 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
SSVC — CISA Coordinator
Exploitation
none
Automatable
yes
Tech. Impact
partial
Affected products (1)
VendorProductPlatformVersions
lepture mistune < 3.3.0
Weakness (CWE)
CWESourceDescription
CWE-674 cna CWE-674: Uncontrolled Recursion
CWE-755 cna CWE-755: Improper Handling of Exceptional Conditions
CVSS scores (1)
ScoreSeverityVersionSourceVector
5.3 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
References (3)
Back to overview