MGASA-2026-0254

Source
https://advisories.mageia.org/MGASA-2026-0254.html
Import Source
https://advisories.mageia.org/MGASA-2026-0254.json
JSON Data
https://api.osv.dev/v1/vulns/MGASA-2026-0254
Upstream
Published
2026-07-15T17:33:12Z
Modified
2026-07-15T17:45:05.087174308Z
Summary
Updated python-mistune package fixes security vulnerabilities
Details

The updated python-mistune package fixes two security vulnerablities: Prior to 3.2.1, rendertocul() builds a <ul> table-of-contents tree from a list of (level, id, text) tuples. Both the id value (used as href="#<id>") and the text value (used as the visible link label) are inserted into <a> tags via a plain Python format string — with no HTML escaping applied to either value. When heading IDs are derived from user-supplied heading text (the standard use-case for readable slug anchors), an attacker can craft a heading whose text breaks out of the href="#..." attribute context, injecting arbitrary HTML tags including <script> blocks directly into the rendered TOC. (CVE-44898) Prior to 3.3.0, Mistune is vulnerable to a CPU exhaustion DoS due to superlinear (approximately O(n²)) behavior in parselinktext. When parsing Markdown containing many consecutive [ characters, parselinktext repeatedly scans the input using a regex search inside a loop. Each iteration re-scans a large portion of the remaining string, resulting in quadratic-time behavior. An attacker-controlled Markdown input can therefore trigger excessive CPU usage with a very small payload. (CVE-2026-49851)

References
Credits

Affected packages

Mageia:10 / python-mistune

Package

Name
python-mistune
Purl
pkg:rpm/mageia/python-mistune?arch=source&distro=mageia-10

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.3.2-1.mga10

Ecosystem specific

{
    "section": "core"
}

Database specific

source
"https://advisories.mageia.org/MGASA-2026-0254.json"