If you discover a security vulnerability, do not submit a public issue or patch. Instead, please report it privately through the GitHub Security tab.
Security: lepture/mistune
Security
.github/SECURITY.md
-
Percent-encoded URL scheme bypass allows XSS via javascript: protocol in safe_url()GHSA-8ppg-4vv7-9p53 published
Jun 21, 2026 by leptureModerate -
XSS via percent-encoded protocol bypass in safe_url() — javascript%3A bypasses javascript: filterGHSA-jxhr-4j38-fpxg published
Jun 21, 2026 by leptureHigh -
Quadratic DoS in parse_link_text via unmatched bracket runsGHSA-f32h-38gf-rg5r published
Jun 21, 2026 by leptureModerate -
mistune: quadratic-time DoS in inline link parser on unbalanced [GHSA-x2gr-6qf2-fc9x published
Jun 21, 2026 by leptureHigh -
Potential DoS via quadratic-time parsing in parse_link_textGHSA-qcq2-496w-v96p published
Jun 21, 2026 by leptureHigh -
Denial of Service via nested bracket parsingGHSA-3q64-rw38-243v published
Jun 21, 2026 by leptureHigh -
directives/include: mutual `.. include::` recursion crashes the renderer with `RecursionError`, denial of service via two attacker-controlled markdown filesGHSA-8mpj-m6qm-5qr8 published
Jun 21, 2026 by leptureModerate -
toc / TableOfContents directive: heading IDs use predictable `toc_N` numbering with no slugification, allowing collision with attacker-controlled `id="toc_N"` contentGHSA-2hm2-hc3v-44h9 published
Jun 21, 2026 by leptureModerate -
directives/include: `.. include::` of an `.html` file emits the file content as raw `block_html`, bypassing `escape=True` for the included file's contentsGHSA-96vr-jm8v-g22j published
Jun 21, 2026 by leptureModerate -
block_parser: quadratic-time parsing on long lists of repeated reference-link definitionsGHSA-ffq3-xpv3-j92q published
Jun 21, 2026 by leptureHigh
Learn more about advisories related to lepture/mistune in the GitHub Advisory Database