Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    Related vulnerabilities

    CVE-2026-59928 (GCVE-0-2026-59928)

    Vulnerability from cvelistv5 – Published: 2026-07-08 16:23 – Updated: 2026-07-08 19:40
    VLAI
    Title
    Mistune block_parser: quadratic-time parsing on long lists of repeated reference-link definitions
    Summary
    Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, a Markdown document containing many repeated or distinct reference-link definitions causes quadratic work in src/mistune/block_parser.py and the ref_links environment dictionary handling, allowing denial of service through CPU exhaustion. This issue is fixed in version 3.3.0.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-407 - Inefficient Algorithmic Complexity
    • CWE-1333 - Inefficient Regular Expression Complexity
    Assigner
    Impacted products
    Vendor Product Version
    lepture mistune Affected: < 3.3.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-59928",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T17:46:13.539153Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T19:40:43.968Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/lepture/mistune/security/advisories/GHSA-ffq3-xpv3-j92q"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "mistune",
              "vendor": "lepture",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 3.3.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, a Markdown document containing many repeated or distinct reference-link definitions causes quadratic work in src/mistune/block_parser.py and the ref_links environment dictionary handling, allowing denial of service through CPU exhaustion. This issue is fixed in version 3.3.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-407",
                  "description": "CWE-407: Inefficient Algorithmic Complexity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-1333",
                  "description": "CWE-1333: Inefficient Regular Expression Complexity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T16:23:21.000Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/lepture/mistune/security/advisories/GHSA-ffq3-xpv3-j92q",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/lepture/mistune/security/advisories/GHSA-ffq3-xpv3-j92q"
            },
            {
              "name": "https://github.com/lepture/mistune/commit/2b04d7ba341c16ac78fe82d3076bdd5c3de87c69",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/lepture/mistune/commit/2b04d7ba341c16ac78fe82d3076bdd5c3de87c69"
            },
            {
              "name": "https://github.com/lepture/mistune/releases/tag/v3.3.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/lepture/mistune/releases/tag/v3.3.0"
            }
          ],
          "source": {
            "advisory": "GHSA-ffq3-xpv3-j92q",
            "discovery": "UNKNOWN"
          },
          "title": "Mistune block_parser: quadratic-time parsing on long lists of repeated reference-link definitions"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-59928",
        "datePublished": "2026-07-08T16:23:21.000Z",
        "dateReserved": "2026-07-07T18:20:06.126Z",
        "dateUpdated": "2026-07-08T19:40:43.968Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    PYSEC-2026-2216

    Vulnerability from pysec - Published: 2026-07-08 17:17 - Updated: 2026-07-13 05:49
    VLAI
    Details

    Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, a Markdown document containing many repeated or distinct reference-link definitions causes quadratic work in src/mistune/block_parser.py and the ref_links environment dictionary handling, allowing denial of service through CPU exhaustion. This issue is fixed in version 3.3.0.

    Impacted products
    Name purl
    mistune pkg:pypi/mistune

    {
      "affected": [
        {
          "ecosystem_specific": {},
          "package": {
            "ecosystem": "PyPI",
            "name": "mistune",
            "purl": "pkg:pypi/mistune"
          },
          "ranges": [
            {
              "events": [
                {
                  "introduced": "0"
                },
                {
                  "fixed": "3.3.0"
                }
              ],
              "type": "ECOSYSTEM"
            }
          ],
          "versions": [
            "0.1.0",
            "0.2.0",
            "0.3.0",
            "0.3.1",
            "0.4",
            "0.4.1",
            "0.5",
            "0.5.1",
            "0.6",
            "0.7",
            "0.7.1",
            "0.7.2",
            "0.7.3",
            "0.7.4",
            "0.8",
            "0.8.1",
            "0.8.2",
            "0.8.3",
            "0.8.4",
            "2.0.0",
            "2.0.0a1",
            "2.0.0a2",
            "2.0.0a3",
            "2.0.0a4",
            "2.0.0a5",
            "2.0.0a6",
            "2.0.0rc1",
            "2.0.1",
            "2.0.2",
            "2.0.3",
            "2.0.4",
            "2.0.5",
            "2.1.0",
            "3.0.0",
            "3.0.0a1",
            "3.0.0a2",
            "3.0.0a3",
            "3.0.0rc1",
            "3.0.0rc2",
            "3.0.0rc3",
            "3.0.0rc4",
            "3.0.0rc5",
            "3.0.1",
            "3.0.2",
            "3.1.0",
            "3.1.1",
            "3.1.2",
            "3.1.3",
            "3.1.4",
            "3.2.0",
            "3.2.1"
          ]
        }
      ],
      "aliases": [
        "CVE-2026-59928",
        "GHSA-ffq3-xpv3-j92q"
      ],
      "details": "Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, a Markdown document containing many repeated or distinct reference-link definitions causes quadratic work in src/mistune/block_parser.py and the ref_links environment dictionary handling, allowing denial of service through CPU exhaustion. This issue is fixed in version 3.3.0.",
      "id": "PYSEC-2026-2216",
      "modified": "2026-07-13T05:49:57.952134Z",
      "published": "2026-07-08T17:17:28.600Z",
      "references": [
        {
          "type": "ADVISORY",
          "url": "https://github.com/lepture/mistune/releases/tag/v3.3.0"
        },
        {
          "type": "FIX",
          "url": "https://github.com/lepture/mistune/commit/2b04d7ba341c16ac78fe82d3076bdd5c3de87c69"
        },
        {
          "type": "EVIDENCE",
          "url": "https://github.com/lepture/mistune/security/advisories/GHSA-ffq3-xpv3-j92q"
        }
      ],
      "severity": [
        {
          "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "type": "CVSS_V3"
        }
      ]
    }