Bug 2481723 (CVE-2026-44896) - CVE-2026-44896 mistune: Mistune: Cross-Site Scripting (XSS) via unescaped HTML attributes
Summary: CVE-2026-44896 mistune: Mistune: Cross-Site Scripting (XSS) via unescaped HTM...
Keywords:
Status: NEW
Alias: CVE-2026-44896
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2491759 2491761 2491762
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-26 22:02 UTC by OSIDB Bzimport
Modified: 2026-07-04 12:31 UTC (History)
15 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-05-26 22:02:02 UTC
Mistune is a Python Markdown parser with renderers and plugins. In 3.2.0 and realier, in src/mistune/directives/image.py, the render_figure() function concatenates figclass and figwidth options directly into HTML attributes without escaping. This allows attribute injection and XSS even when HTMLRenderer(escape=True) is used, because these values bypass the inline renderer.


Note You need to log in before you can comment on or make changes to this bug.