Updated python-mistune package fixes security vulnerabilities
Publication date: 15 Jul 2026Modification date: 15 Jul 2026
Type: security
Affected Mageia releases : 10
CVE: CVE-2026-44898 , CVE-2026-49851
Description
The updated python-mistune package fixes two security vulnerablities:
Prior to 3.2.1, render_toc_ul() builds a <ul> table-of-contents tree
from a list of (level, id, text) tuples. Both the id value (used as
href="#<id>") and the text value (used as the visible link label) are
inserted into <a> tags via a plain Python format string — with no HTML
escaping applied to either value. When heading IDs are derived from
user-supplied heading text (the standard use-case for readable slug
anchors), an attacker can craft a heading whose text breaks out of the
href="#..." attribute context, injecting arbitrary HTML tags including
<script> blocks directly into the rendered TOC. (CVE-44898)
Prior to 3.3.0, Mistune is vulnerable to a CPU exhaustion DoS due to
superlinear (approximately O(n²)) behavior in parse_link_text. When
parsing Markdown containing many consecutive [ characters,
parse_link_text repeatedly scans the input using a regex search inside a
loop. Each iteration re-scans a large portion of the remaining string,
resulting in quadratic-time behavior. An attacker-controlled Markdown
input can therefore trigger excessive CPU usage with a very small
payload. (CVE-2026-49851)
References
- https://bugs.mageia.org/show_bug.cgi?id=35773
- https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/W4DK3F2DIMTLJEXWFR5UC6EJVGR7KNR5/
- https://github.com/lepture/mistune/security/advisories/GHSA-qcq2-496w-v96p
- https://www.cve.org/CVERecord?id=CVE-2026-44898
- https://www.cve.org/CVERecord?id=CVE-2026-49851
SRPMS
10/core
- python-mistune-3.3.2-1.mga10