Bug 2498141 (CVE-2026-59929)
| Summary: | CVE-2026-59929 mistune: Mistune: Cross-site scripting via incomplete URL scheme filtering | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | anthomas, ehelms, ggainey, jpasqual, juwatts, mhulan, nmoumoul, osousa, pcreech, rchan, rjohnson, smallamp, tmalecek |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in Mistune, a Python Markdown parser. The `safe_url` filter, intended to prevent malicious Uniform Resource Locators (URLs), did not adequately block all potentially harmful schemes. This oversight allows an attacker to embed specially crafted URLs using legacy or chained schemes within rendered HTML attributes. Consequently, a remote attacker could exploit this to execute arbitrary script code in a user's browser, leading to a Cross-Site Scripting (XSS) vulnerability.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
OSIDB Bzimport
2026-07-08 17:01:38 UTC
|