Home

Description

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, Mistune is vulnerable to a CPU exhaustion DoS due to superlinear (approximately O(n²)) behavior in parse_link_text. When parsing Markdown containing many consecutive [ characters, parse_link_text repeatedly scans the input using a regex search inside a loop. Each iteration re-scans a large portion of the remaining string, resulting in quadratic-time behavior. An attacker-controlled Markdown input can therefore trigger excessive CPU usage with a very small payload. This vulnerability is fixed in 3.3.0.

PUBLISHED Reserved 2026-06-01 | Published 2026-06-24 | Updated 2026-06-25 | Assigner GitHub_M




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-400: Uncontrolled Resource Consumption

CWE-770: Allocation of Resources Without Limits or Throttling

CWE-407: Inefficient Algorithmic Complexity

Product status

< 3.3.0
affected

References

github.com/...istune/security/advisories/GHSA-qcq2-496w-v96p exploit

github.com/...istune/security/advisories/GHSA-qcq2-496w-v96p

cve.org (CVE-2026-49851)

nvd.nist.gov (CVE-2026-49851)

Download JSON