CVE-2026-59928

Summary

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, a Markdown document containing many repeated or distinct reference-link definitions causes quadratic work in src/mistune/block_parser.py and the ref_links environment dictionary handling, allowing denial of service through CPU exhaustion. This issue is fixed in version 3.3.0.

Affected Software

VendorProductVersion RangeStatus
lepturemistune< 3.3.0affected

Weaknesses

  • CWE-407: CWE-407: Inefficient Algorithmic Complexity
  • CWE-1333: CWE-1333: Inefficient Regular Expression Complexity

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

Additional References

References