CVE-2026-44708: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in lepture mistune
CVE-2026-44708 is a cross-site scripting (XSS) vulnerability in the mistune Python Markdown parser's math plugin prior to version 3. 2. 1. The vulnerability arises because the plugin concatenates raw user input directly into HTML output without proper escaping, even when escape mode is enabled. This can lead to injection of malicious scripts in web pages generated using affected versions. The issue is fixed in mistune version 3. 2. 1.
AI Analysis
Technical Summary
Mistune is a Python Markdown parser with support for renderers and plugins, including a math plugin that renders inline and block math expressions. In versions before 3.2.1, the math plugin inserts user-supplied content directly into HTML output without escaping, violating the expected behavior of escape=True which should sanitize user input. This improper neutralization of input during web page generation (CWE-79) allows an attacker to inject malicious scripts, resulting in a cross-site scripting vulnerability. The vulnerability has a CVSS 3.1 base score of 6.1, indicating a medium severity level. The vulnerability is resolved in version 3.2.1 of mistune.
Potential Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary scripts in the context of the victim's browser when viewing content rendered by the vulnerable mistune math plugin. This can lead to limited confidentiality and integrity impacts such as theft of user data or manipulation of displayed content. There is no indication of availability impact. No known exploits in the wild have been reported as of the publication date.
Mitigation Recommendations
Upgrade mistune to version 3.2.1 or later, where this vulnerability is fixed. Since the vulnerability is addressed in this official release, applying this update is the recommended remediation. Patch status is confirmed fixed in 3.2.1. No additional mitigations are specified or required.
CVE-2026-44708: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in lepture mistune
Description
CVE-2026-44708 is a cross-site scripting (XSS) vulnerability in the mistune Python Markdown parser's math plugin prior to version 3. 2. 1. The vulnerability arises because the plugin concatenates raw user input directly into HTML output without proper escaping, even when escape mode is enabled. This can lead to injection of malicious scripts in web pages generated using affected versions. The issue is fixed in mistune version 3. 2. 1.
CVSS v3.1
Score 6.1medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Mistune is a Python Markdown parser with support for renderers and plugins, including a math plugin that renders inline and block math expressions. In versions before 3.2.1, the math plugin inserts user-supplied content directly into HTML output without escaping, violating the expected behavior of escape=True which should sanitize user input. This improper neutralization of input during web page generation (CWE-79) allows an attacker to inject malicious scripts, resulting in a cross-site scripting vulnerability. The vulnerability has a CVSS 3.1 base score of 6.1, indicating a medium severity level. The vulnerability is resolved in version 3.2.1 of mistune.
Potential Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary scripts in the context of the victim's browser when viewing content rendered by the vulnerable mistune math plugin. This can lead to limited confidentiality and integrity impacts such as theft of user data or manipulation of displayed content. There is no indication of availability impact. No known exploits in the wild have been reported as of the publication date.
Mitigation Recommendations
Upgrade mistune to version 3.2.1 or later, where this vulnerability is fixed. Since the vulnerability is addressed in this official release, applying this update is the recommended remediation. Patch status is confirmed fixed in 3.2.1. No additional mitigations are specified or required.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-07T17:07:09.318Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a170b61e29bf47b50c90912
Added to database: 5/27/2026, 3:18:57 PM
Last enriched: 5/27/2026, 3:49:34 PM
Last updated: 5/27/2026, 4:27:19 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.