Bug 2498154 (CVE-2026-59927)

Summary: CVE-2026-59927 mistune: Mistune: Denial of Service via unbounded recursion in Markdown include directive
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: anthomas, ehelms, ggainey, jmitchel, jpasqual, juwatts, kshier, mhulan, nmoumoul, osousa, pbohmill, pcreech, rchan, rjohnson, smallamp, teagle, tmalecek
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Mistune, a Python Markdown parser. The Include directive in Mistune's `src/mistune/directives/include.py` does not properly detect indirect cycles when two Markdown files include each other. This oversight allows for unbounded recursion, which can lead to a `RecursionError` and crash the rendering request, resulting in a Denial of Service (DoS) for the application using the parser.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-07-08 17:02:23 UTC
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, the Include directive in src/mistune/directives/include.py detects only direct self-includes and not indirect cycles, allowing two markdown files that include each other to trigger unbounded recursion, raise RecursionError, and crash the rendering request. This issue is fixed in version 3.3.0.