Python Mistune <3.2.1 Admonition: unescaped :class: leads to XSS in HTMLRenderer
CVE-2026-59926 Published on July 8, 2026

Mistune: XSS via unescaped class option in Admonition directive
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, render_admonition() in src/mistune/directives/admonition.py concatenates the Admonition directive :class: option into the HTML class attribute without escaping, allowing attribute injection and cross-site scripting even when HTMLRenderer escape mode is enabled. This issue is fixed in version 3.2.1.

NVD

Weakness Type

What is a XSS Vulnerability?

The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CVE-2026-59926 has been classified to as a XSS vulnerability or weakness.


Affected Versions

lepture mistune Version < 3.2.1 is affected by CVE-2026-59926