CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-59928

highCVSS 7.5covered by 2 sourcesfirst seen 2026-07-02
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, a Markdown document containing many repeated or distinct reference-link definitions causes quadratic work in src/mistune/block_parser.py and the ref_links environment dictionary handling, allowing denial of service through CPU exhaustion. This issue is fixed in version 3.3.0.

CSIRTS triage

What
This vulnerability causes quadratic-time parsing issues on long lists of repeated reference-link definitions.
Who is affected
Deployments of Mistune are affected.
Urgency
Remediation is urgent due to the high severity of the vulnerability.
Action
Update to the latest version of Mistune to address this issue.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch CVE-2026-59928

Get an email if CVE-2026-59928 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (2)

External references

NVD record for CVE-2026-59928

CVE.org record

Embed the live status

CVE-2026-59928 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-59928 status](https://www.csirts.com/badge/CVE-2026-59928)](https://www.csirts.com/cve/CVE-2026-59928)