CVE-2026-44896
EUVD-2026-3199126.05.2026, 21:16
Mistune is a Python Markdown parser with renderers and plugins. In 3.2.0 and earlier, in src/mistune/directives/image.py, the render_figure() function concatenates figclass and figwidth options directly into HTML attributes without escaping. This allows attribute injection and XSS even when HTMLRenderer(escape=True) is used, because these values bypass the inline renderer. Version 3.2.1 contains a patch.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| mistune_project | mistune | 𝑥 ≤ 3.2.0 |
𝑥
= Vulnerable software versions
Ubuntu Releases