PYSEC-2026-2215

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/mistune/PYSEC-2026-2215.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-2215
Aliases
Published
2026-07-08T17:17:28.450Z
Modified
2026-07-13T07:15:18.817354531Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
[none]
Details

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, the Include directive in src/mistune/directives/include.py detects only direct self-includes and not indirect cycles, allowing two markdown files that include each other to trigger unbounded recursion, raise RecursionError, and crash the rendering request. This issue is fixed in version 3.3.0.

References

Affected packages

PyPI / mistune

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.3.0

Affected versions

0.*
0.1.0
0.2.0
0.3.0
0.3.1
0.4
0.4.1
0.5
0.5.1
0.6
0.7
0.7.1
0.7.2
0.7.3
0.7.4
0.8
0.8.1
0.8.2
0.8.3
0.8.4
2.*
2.0.0a1
2.0.0a2
2.0.0a3
2.0.0a4
2.0.0a5
2.0.0a6
2.0.0rc1
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.1.0
3.*
3.0.0a1
3.0.0a2
3.0.0a3
3.0.0rc1
3.0.0rc2
3.0.0rc3
3.0.0rc4
3.0.0rc5
3.0.0
3.0.1
3.0.2
3.1.0
3.1.1
3.1.2
3.1.3
3.1.4
3.2.0
3.2.1

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/mistune/PYSEC-2026-2215.yaml"