CVE-2026-49851

unknown

Published 2026-06-24 · Modified 2026-06-25

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

8.7

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

VIR risk

—

Description

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, Mistune is vulnerable to a CPU exhaustion DoS due to superlinear (approximately O(n²)) behavior in parse_link_text. When parsing Markdown containing many consecutive [ characters, parse_link_text repeatedly scans the input using a regex search inside a loop. Each iteration re-scans a large portion of the remaining string, resulting in quadratic-time behavior. An attacker-controlled Markdown input can therefore trigger excessive CPU usage with a very small payload. This vulnerability is fixed in 3.3.0.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Debian Security Tracker · View original ↗ · DFSG

CVE-2026-49851 NameCVE-2026-49851 DescriptionMistune is a Python Markdown parser with renderers and plugins. Prior ... SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) Vulnerable and fixed packages The table below lists information on source packages. Source PackageReleaseVersionStatus…

CVE-2026-49851

Name	CVE-2026-49851
Description	Mistune is a Python Markdown parser with renderers and plugins. Prior ...
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
mistune (PTS)	bullseye	0.8.4-4	vulnerable
	bookworm	2.0.4-1	vulnerable
	trixie	3.1.3-1	vulnerable
	forky, sid	3.1.4-1	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
mistune	source	(unstable)	(unfixed)

Notes

https://github.com/lepture/mistune/security/advisories/GHSA-qcq2-496w-v96p

Home - Debian Security - Source (Git)

Apply commands

text fix

Notes

https://github.com/lepture/mistune/security/advisories/GHSA-qcq2-496w-v96p

OS impact

Debian Affected 5 releases

Version	Status	Fixed in
trixie	Affected	—
sid	Affected	—
forky	Affected	—
bullseye	Affected	—
bookworm	Affected	—

SUSE Affected 1 release

Version	Status	Fixed in
—	Affected	—

References

CWEs

CWE-400 CWE-407 CWE-770

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.