Bug 2498141 (CVE-2026-59929)

Summary: CVE-2026-59929 mistune: Mistune: Cross-site scripting via incomplete URL scheme filtering
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: anthomas, ehelms, ggainey, jpasqual, juwatts, mhulan, nmoumoul, osousa, pcreech, rchan, rjohnson, smallamp, tmalecek
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Mistune, a Python Markdown parser. The `safe_url` filter, intended to prevent malicious Uniform Resource Locators (URLs), did not adequately block all potentially harmful schemes. This oversight allows an attacker to embed specially crafted URLs using legacy or chained schemes within rendered HTML attributes. Consequently, a remote attacker could exploit this to execute arbitrary script code in a user's browser, leading to a Cross-Site Scripting (XSS) vulnerability.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-07-08 17:01:38 UTC
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, the safe_url filter in src/mistune/renderers/html.py blocks only javascript:, vbscript:, file:, and data: schemes, allowing legacy or chained schemes such as feed:, view-source:, jar:, livescript:, mocha:, ms-its:, mk:, and res: to reach rendered href and src attributes and potentially execute script in affected user agents. This issue is fixed in version 3.3.0.