CVE-2026-49851

Mistune: Potential DoS via quadratic-time parsing in parse_link_text

CVSS 8.7 HIGHEPSS 0.3%CWE-400 CWE-407 CWE-770

Vexday Risk Score

21Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 8.7EPSS 0.3%KEV nãoPoC —Patch —

Lifecycle

Jun 24, 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, Mistune is vulnerable to a CPU exhaustion DoS due to superlinear (approximately O(n²)) behavior in parse_link_text. When parsing Markdown containing many consecutive [ characters, parse_link_text repeatedly scans the input using a regex search inside a loop. Each iteration re-scans a large portion of the remaining string, resulting in quadratic-time behavior. An attacker-controlled Markdown input can therefore trigger excessive CPU usage with a very small payload. This vulnerability is fixed in 3.3.0.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected products

lepture · mistune

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/lepture/mistune/security/advisories/GHSA-qcq2-496w-v96p