CVE-2026-44896
Mistune: XSS via unescaped figclass/figwidth in Figure directive
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
10th
Mistune is a Python Markdown parser with renderers and plugins. In 3.2.0 and earlier, in src/mistune/directives/image.py, the render_figure() function concatenates figclass and figwidth options directly into HTML attributes without escaping. This allows attribute injection and XSS even when HTMLRenderer(escape=True) is used, because these values bypass the inline renderer. Version 3.2.1 contains a patch.
| CWE | CWE-79 |
| Vendor | lepture |
| Product | mistune |
| Published | May 26, 2026 |
| Last Updated | Jun 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for lepture mistune
Be the first to know when new unknown vulnerabilities affecting lepture mistune are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
lepture / mistune
< 3.2.1