Python Mistune <3.2.1 Admonition: unescaped :class: leads to XSS in HTMLRenderer
CVE-2026-59926 Published on July 8, 2026
Mistune: XSS via unescaped class option in Admonition directive
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, render_admonition() in src/mistune/directives/admonition.py concatenates the Admonition directive :class: option into the HTML class attribute without escaping, allowing attribute injection and cross-site scripting even when HTMLRenderer escape mode is enabled. This issue is fixed in version 3.2.1.
Weakness Type
What is a XSS Vulnerability?
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CVE-2026-59926 has been classified to as a XSS vulnerability or weakness.