CVE-2026-49851

UNKNOWN 0.0

Mistune: Potential DoS via quadratic-time parsing in parse_link_text

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, Mistune is vulnerable to a CPU exhaustion DoS due to superlinear (approximately O(n²)) behavior in parse_link_text. When parsing Markdown containing many consecutive [ characters, parse_link_text repeatedly scans the input using a regex search inside a loop. Each iteration re-scans a large portion of the remaining string, resulting in quadratic-time behavior. An attacker-controlled Markdown input can therefore trigger excessive CPU usage with a very small payload. This vulnerability is fixed in 3.3.0.

CWE	CWE-400 CWE-770 CWE-407
Vendor	lepture
Product	mistune
Published	Jun 24, 2026

Stay Ahead of the Next One

Get instant alerts for lepture mistune

Be the first to know when new unknown vulnerabilities affecting lepture mistune are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

lepture / mistune

< 3.3.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/lepture/mistune/security/advisories/GHSA-qcq2-496w-v96p