CVE-2026-59927

Source
https://cve.org/CVERecord?id=CVE-2026-59927
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-59927.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-59927
Aliases
Downstream
Related
Published
2026-07-08T16:24:37.985Z
Modified
2026-07-15T10:14:45.288000016Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
Mistune directives/include: mutual `.. include::` recursion crashes the renderer with `RecursionError`, denial of service via two attacker-controlled markdown files
Details

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, the Include directive in src/mistune/directives/include.py detects only direct self-includes and not indirect cycles, allowing two markdown files that include each other to trigger unbounded recursion, raise RecursionError, and crash the rendering request. This issue is fixed in version 3.3.0.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-674",
        "CWE-755"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/59xxx/CVE-2026-59927.json"
}
References

Affected packages

Git / github.com/lepture/mistune

Affected ranges

Type
GIT
Repo
https://github.com/lepture/mistune
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.3.0"
        }
    ],
    "cpe": "cpe:2.3:a:mistune_project:mistune:*:*:*:*:*:*:*:*"
}

Affected versions

v0.*
v0.1.0
v0.2.0
v0.3.0
v0.3.1
v0.4
v0.4.1
v0.5
v0.5.1
v0.6
v0.7
v0.7.1
v0.7.2
v0.7.3
v0.7.4
v0.8
v0.8.1
v0.8.2
v0.8.3
v0.8.4
v2.*
v2.0.0
v2.0.0a1
v2.0.0a2
v2.0.0a3
v2.0.0a4
v2.0.0a5
v2.0.0a6
v2.0.0rc1
v2.0.1
v2.0.2
v3.*
v3.0.0
v3.0.0a1
v3.0.0a2
v3.0.0a3
v3.0.0rc1
v3.0.0rc2
v3.0.0rc3
v3.0.0rc4
v3.0.0rc5
v3.0.1
v3.1.0
v3.1.1
v3.1.2
v3.1.3
v3.1.4
v3.2.0
v3.2.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-59927.json"