Source: mistune Version: 3.1.4-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for mistune. CVE-2026-44708[0]: | Mistune is a Python Markdown parser with renderers and plugins. | Prior to 3.2.1, the mistune math plugin renders inline math ($...$) | and block math ($$...$$) by concatenating the raw user-supplied | content directly into the HTML output without any HTML escaping. | This occurs even when the parser is explicitly created with | escape=True, which is supposed to guarantee that all user-controlled | text is sanitised before reaching the DOM. This vulnerability is | fixed in 3.2.1. CVE-2026-44896[1]: | Mistune is a Python Markdown parser with renderers and plugins. In | 3.2.0 and realier, in src/mistune/directives/image.py, the | render_figure() function concatenates figclass and figwidth options | directly into HTML attributes without escaping. This allows | attribute injection and XSS even when HTMLRenderer(escape=True) is | used, because these values bypass the inline renderer. CVE-2026-44897[2]: | Mistune is a Python Markdown parser with renderers and plugins. | Prior to 3.2.1, HTMLRenderer.heading() builds the opening <hN> tag | by string-concatenating the id attribute value directly into the | HTML — with no call to escape(), safe_entity(), or any other | sanitisation function. A double-quote character " in the id value | terminates the attribute, allowing an attacker to inject arbitrary | additional attributes (event handlers, src=, href=, etc.) into the | heading element. This vulnerability is fixed in 3.2.1. CVE-2026-44898[3]: | Mistune is a Python Markdown parser with renderers and plugins. | Prior to 3.2.1, render_toc_ul() builds a <ul> table-of-contents tree | from a list of (level, id, text) tuples. Both the id value (used as | href="#<id>") and the text value (used as the visible link label) | are inserted into <a> tags via a plain Python format string — with | no HTML escaping applied to either value. When heading IDs are | derived from user-supplied heading text (the standard use-case for | readable slug anchors), an attacker can craft a heading whose text | breaks out of the href="#..." attribute context, injecting arbitrary | HTML tags including <script> blocks directly into the rendered TOC. | This vulnerability is fixed in 3.2.1. CVE-2026-44899[4]: | Mistune is a Python Markdown parser with renderers and plugins. | Prior to 3.2.1, the Image directive plugin validates the :width: and | :height: options with a regex compiled as _num_re = | re.compile(r"^\d+(?:\.\d*)?"). When the validated value is not a | plain integer, render_block_image() inserts it directly into a | style="width:...;" or style="height:...;" attribute. Because the | value was accepted by the prefix-only regex, any CSS after the | leading digits reaches the style= attribute verbatim and without | escaping. This vulnerability is fixed in 3.2.1. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-44708 https://www.cve.org/CVERecord?id=CVE-2026-44708 [1] https://security-tracker.debian.org/tracker/CVE-2026-44896 https://www.cve.org/CVERecord?id=CVE-2026-44896 [2] https://security-tracker.debian.org/tracker/CVE-2026-44897 https://www.cve.org/CVERecord?id=CVE-2026-44897 [3] https://security-tracker.debian.org/tracker/CVE-2026-44898 https://www.cve.org/CVERecord?id=CVE-2026-44898 [4] https://security-tracker.debian.org/tracker/CVE-2026-44899 https://www.cve.org/CVERecord?id=CVE-2026-44899 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
