Is mistune affected by CVE-2026-44896?

PyPI mistune is affected in <3.2.1.

Is CVE-2026-44896 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.2%.

medium

CVE-2026-44896

Q: Is CVE-2026-44896 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.2%.

PyPI · mistune

Summary

Mistune is a Python Markdown parser with renderers and plugins. In 3.2.0 and realier, in src/mistune/directives/image.py, the render_figure() function concatenates figclass and figwidth options directly into HTML attributes without escaping. This allows attribute injection and XSS even when HTMLRend

Severity: medium
EPSS: 0.2% (p10)
Also known as: GHSA-58cw-g322-p94v, PYSEC-2026-168
Published: 2026-05-26

References

https://github.com/lepture/mistune/security/advisories/GHSA-58cw-g322-p94v

Related advisories

CVE-2026-33079 — high · PyPI/mistune
CVE-2026-44899 — medium · PyPI/mistune
CVE-2026-44898 — medium · PyPI/mistune
CVE-2026-44897 — medium · PyPI/mistune
CVE-2026-44708 — medium · PyPI/mistune

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Check my repo

Summarize with AI

ChatGPT Claude Perplexity

Sources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.