Loading market data...
← Back to CVE feed

CVE-2026-59924

MEDIUM CVSS 5.9 View on NVD ↗

Description

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, Include.parse() joins and normalizes user-supplied include paths without verifying that the result remains within the intended markdown directory, allowing crafted include paths to access files outside that directory when markdown files are processed using md.read(). This issue is fixed in version 3.3.0.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Published: Jul 08, 2026 17:17 UTC Modified: Jul 09, 2026 16:25 UTC