Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…
EPSS 0.5%top 62%

CVE-2026-33079: CWE-1333: Inefficient Regular Expression Complexity in lepture mistune

0
High
VulnerabilityCVE-2026-33079cvecve-2026-33079cwe-1333
Published: 05/06/2026 (05/06/2026, 17:25:09 UTC)
Source: CVE Database V5
Vendor/Project: lepture
Product: mistune

Description

In versions 3.0.0a1 through 3.2.0 of Mistune, there is a ReDoS (Regular Expression Denial of Service) vulnerability in `LINK_TITLE_RE` that allows an attacker who can supply Markdown for parsing to cause denial of service. The regular expression used for parsing link titles contains overlapping alternatives that can trigger catastrophic backtracking. In both the double-quoted and single-quoted branches, a backslash followed by punctuation can be matched either as an escaped punctuation sequence or as two ordinary characters, creating an ambiguous pattern inside a repeated group. If an attacker supplies Markdown containing repeated ! sequences with no closing quote, the regex engine explores an exponential number of backtracking paths. This is reachable through normal Markdown parsing of inline links and block link reference definitions. A small crafted input can therefore cause significant CPU consumption and make applications using Mistune unresponsive.

CVSS v4.0

Score 8.7high

Attack Vector
Network
Attack Complexity
Low
Attack Requirements
None
Privileges Required
None
User Interaction
None
Vuln. Confidentiality
None
Vuln. Integrity
None
Vuln. Availability
High
Subsq. Confidentiality
None
Subsq. Integrity
None
Subsq. Availability
None
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected software

mistune
pkg:pypi/mistune

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 06/30/2026, 21:42:15 UTC

Technical Analysis

CVE-2026-33079 describes a ReDoS vulnerability in the Mistune Markdown parser, specifically in versions 3.0.0a1 through 3.2.0. The vulnerability is due to the LINK_TITLE_RE regular expression, which contains overlapping alternatives that create ambiguous matching paths. This ambiguity leads to catastrophic backtracking when parsing certain crafted Markdown inputs, such as repeated exclamation marks without a closing quote in link titles. This can cause significant CPU consumption and denial of service in applications that parse Markdown using Mistune.

Potential Impact

An attacker who can supply Markdown input to a vulnerable Mistune parser can cause a denial of service by triggering excessive CPU usage through crafted inputs that exploit the inefficient regular expression. This can make applications unresponsive, impacting availability. There are no indications of privilege escalation, data disclosure, or other impacts beyond denial of service.

Mitigation Recommendations

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or patch is indicated in the provided data. Users should monitor the Red Hat advisory and the Mistune project for updates. Until a fix is available, consider limiting or sanitizing Markdown input from untrusted sources to reduce exposure to this vulnerability.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Data Version
5.2
Assigner Short Name
GitHub_M
Date Reserved
2026-03-17T19:27:06.345Z
Cvss Version
4.0
State
PUBLISHED
Remediation Level
null
Vendor Advisory Urls
[{"url":"https://access.redhat.com/security/cve/CVE-2026-33079","vendor":"Red Hat"}]

Threat ID: 69fb7f9ecbff5d8610195779

Added to database: 05/06/2026, 17:51:26 UTC

Last enriched: 06/30/2026, 21:42:15 UTC

Last updated: 07/04/2026, 08:51:22 UTC

Views: 157

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses