Vulnerability Details CVE-2026-59923
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, HTMLRenderer.safe_url() does not block percent-encoded javascript URIs, allowing attacker-supplied Markdown links or images to bypass URL protections and execute script in rendered HTML. This issue is fixed in version 3.3.0.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 9.9%
CVSS Severity
CVSS v3 Score 6.1
Products affected by CVE-2026-59923
-
cpe:2.3:a:mistune_project:mistune:0.1.0
-
cpe:2.3:a:mistune_project:mistune:0.2.0
-
cpe:2.3:a:mistune_project:mistune:0.3.0
-
cpe:2.3:a:mistune_project:mistune:0.3.1
-
cpe:2.3:a:mistune_project:mistune:0.4
-
cpe:2.3:a:mistune_project:mistune:0.4.1
-
cpe:2.3:a:mistune_project:mistune:0.5
-
cpe:2.3:a:mistune_project:mistune:0.5.1
-
cpe:2.3:a:mistune_project:mistune:0.6
-
cpe:2.3:a:mistune_project:mistune:0.7
-
cpe:2.3:a:mistune_project:mistune:0.7.1
-
cpe:2.3:a:mistune_project:mistune:0.7.2
-
cpe:2.3:a:mistune_project:mistune:0.7.3
-
cpe:2.3:a:mistune_project:mistune:0.7.4
-
cpe:2.3:a:mistune_project:mistune:0.8
-
cpe:2.3:a:mistune_project:mistune:0.8.1
-
cpe:2.3:a:mistune_project:mistune:0.8.2
-
cpe:2.3:a:mistune_project:mistune:0.8.3
-
cpe:2.3:a:mistune_project:mistune:0.8.4
-
cpe:2.3:a:mistune_project:mistune:2.0.0
-
cpe:2.3:a:mistune_project:mistune:2.0.1
-
cpe:2.3:a:mistune_project:mistune:2.0.2
-
cpe:2.3:a:mistune_project:mistune:2.0.3
-
cpe:2.3:a:mistune_project:mistune:2.0.4
-
cpe:2.3:a:mistune_project:mistune:2.0.5
-
cpe:2.3:a:mistune_project:mistune:3.0.0
-
cpe:2.3:a:mistune_project:mistune:3.0.1
-
cpe:2.3:a:mistune_project:mistune:3.0.2
-
cpe:2.3:a:mistune_project:mistune:3.1.0
-
cpe:2.3:a:mistune_project:mistune:3.1.1
-
cpe:2.3:a:mistune_project:mistune:3.1.2
-
cpe:2.3:a:mistune_project:mistune:3.1.3
-
cpe:2.3:a:mistune_project:mistune:3.1.4
-
cpe:2.3:a:mistune_project:mistune:3.2.0
-
cpe:2.3:a:mistune_project:mistune:3.2.1