CVE-2026-49851
- Source
- https://cve.org/CVERecord?id=CVE-2026-49851
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-49851.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-49851
- Aliases
-
- GHSA-qcq2-496w-v96p
- Downstream
- Published
- 2026-06-24T17:05:33.602Z
- Modified
- 2026-06-25T04:04:15.865010871Z
- Severity
-
- 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Mistune: Potential DoS via quadratic-time parsing in parse_link_text
- Details
-
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, Mistune is vulnerable to a CPU exhaustion DoS due to superlinear (approximately O(n²)) behavior in parselinktext. When parsing Markdown containing many consecutive [ characters, parselinktext repeatedly scans the input using a regex search inside a loop. Each iteration re-scans a large portion of the remaining string, resulting in quadratic-time behavior. An attacker-controlled Markdown input can therefore trigger excessive CPU usage with a very small payload. This vulnerability is fixed in 3.3.0.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/49xxx/CVE-2026-49851.json", "cwe_ids": [ "CWE-400", "CWE-407", "CWE-770" ], "cna_assigner": "GitHub_M" }- References
Affected packages
Git / github.com/lepture/mistune
Affected versions
v0.*
v0.1.0
v0.2.0
v0.3.0
v0.3.1
v0.4
v0.4.1
v0.5
v0.5.1
v0.6
v0.7
v0.7.1
v0.7.2
v0.7.3
v0.7.4
v0.8
v0.8.1
v0.8.2
v0.8.3
v0.8.4
v2.*
v2.0.0
v2.0.0a1
v2.0.0a2
v2.0.0a3
v2.0.0a4
v2.0.0a5
v2.0.0a6
v2.0.0rc1
v2.0.1
v2.0.2
v3.*
v3.0.0
v3.0.0a1
v3.0.0a2
v3.0.0a3
v3.0.0rc1
v3.0.0rc2
v3.0.0rc3
v3.0.0rc4
v3.0.0rc5
v3.0.1
v3.1.0
v3.1.1
v3.1.2
v3.1.3
v3.1.4
v3.2.0
v3.2.1