Security: lepture/mistune
Security Advisories
View known security vulnerabilities and report new vulnerabilities privately to maintainers.
-
inline_parser: quadratic-time parsing on long runs of `**x**` and `***x***` emphasis pairsGHSA-4j32-57v6-6g45 published
Jun 21, 2026 by leptureHigh -
plugins/formatting: quadratic-time parsing on long runs of `~~x~~`, `==x==`, and `^^x^^` markers (strikethrough / mark / insert)GHSA-c8j7-8cv4-2xmq published
Jun 21, 2026 by leptureHigh -
directives/image (Figure): `figwidth` option flows unvalidated into the `<figure style="width:...">` attribute, allowing CSS injection and data exfiltration via `url()`GHSA-xmwc-wjpr-q378 published
Jun 21, 2026 by leptureModerate -
inline_parser: quadratic-time parsing on long runs of unmatched `[` brackets, denial of service via small markdown inputGHSA-xrpv-r66x-8p7j published
Jun 21, 2026 by leptureHigh -
directives/include: `.. include::` directive accepts unconstrained relative and absolute paths, allowing arbitrary file read by any markdown the renderer processesGHSA-9jjx-3hq3-hx4j published
Jun 21, 2026 by leptureHigh -
Mistune Image Directive CSS Injection VulnerabilityGHSA-ccfx-mfmx-2fx9 published
May 12, 2026 by leptureModerate -
Mistune TOC Anchor Injection XSSGHSA-6269-cqxg-mhhv published
May 12, 2026 by leptureModerate -
Mistune Heading ID Attribute Injection XSSGHSA-v87v-83h2-53w7 published
May 6, 2026 by leptureModerate -
Mistune Math Plugin XSS Escape BypassGHSA-8g87-j6q8-g93x published
May 6, 2026 by leptureModerate