CVE-2026-59925

Source
https://cve.org/CVERecord?id=CVE-2026-59925
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-59925.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-59925
Aliases
Downstream
Published
2026-07-08T16:18:43.786Z
Modified
2026-07-13T07:26:17.576443249Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
inline_parser: quadratic-time parsing on long runs of `**x**` and `***x***` emphasis pairs
Details

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, long sequences of well-formed double-asterisk or triple-asterisk emphasis pairs around a character cause quadratic work in src/mistune/inline_parser.py because the parser scans forward for matching close markers from every potential opening run, allowing denial of service in default Mistune parsing. This issue is fixed in version 3.3.0.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-1333",
        "CWE-407"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/59xxx/CVE-2026-59925.json"
}
References

Affected packages

Git / github.com/lepture/mistune

Affected ranges

Type
GIT
Repo
https://github.com/lepture/mistune
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.3.0"
        }
    ],
    "cpe": "cpe:2.3:a:mistune_project:mistune:*:*:*:*:*:*:*:*",
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ]
}

Affected versions

v0.*
v0.1.0
v0.2.0
v0.3.0
v0.3.1
v0.4
v0.4.1
v0.5
v0.5.1
v0.6
v0.7
v0.7.1
v0.7.2
v0.7.3
v0.7.4
v0.8
v0.8.1
v0.8.2
v0.8.3
v0.8.4
v2.*
v2.0.0
v2.0.0a1
v2.0.0a2
v2.0.0a3
v2.0.0a4
v2.0.0a5
v2.0.0a6
v2.0.0rc1
v2.0.1
v2.0.2
v3.*
v3.0.0
v3.0.0a1
v3.0.0a2
v3.0.0a3
v3.0.0rc1
v3.0.0rc2
v3.0.0rc3
v3.0.0rc4
v3.0.0rc5
v3.0.1
v3.1.0
v3.1.1
v3.1.2
v3.1.3
v3.1.4
v3.2.0
v3.2.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-59925.json"