Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Untrusted Markdown is typically reachable remotely without auth (AV:N/PR:N/UI:N) and the payload is trivial to craft (AC:L); availability-only impact yields A:H, C:N, I:N.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, a run of closed tilde, equals-sign, or caret marker pairs around a character causes quadratic work in src/mistune/plugins/formatting.py when the strikethrough, mark, or insert plugin scans for matching markers from each possible start position, allowing denial of service through CPU exhaustion. This issue is fixed in version 3.3.0.
Articles & Coverage 1
AnalysisAI
Denial of service in Mistune, a Python Markdown parser, affects all versions prior to 3.3.0 when the strikethrough, mark, or insert plugins are enabled. Remote attackers can submit crafted Markdown containing runs of closed tilde (~), equals (=), or caret (^) marker pairs that trigger quadratic-time scanning in the formatting plugin, exhausting CPU and rendering the parsing service unresponsive. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target application (1) parses attacker-supplied Markdown through Mistune at a version below 3.3.0, and (2) has at least one of the strikethrough (~~), mark (==), or insert (^^) formatting plugins enabled - these plugins contain the vulnerable per-start-position scan. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) reflects a network-reachable, unauthenticated, low-complexity availability-only impact - consistent with an algorithmic-complexity DoS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker submits a comment, wiki edit, or API payload containing a long run of closed tilde/equals/caret marker pairs (e.g., many ~~ or == sequences around characters) to a web application that renders user Markdown with Mistune's strikethrough, mark, or insert plugin enabled. The quadratic scan consumes a full CPU core for that request; repeating the submission across connections exhausts server CPU and denies service to legitimate users. … |
| Remediation | Vendor-released patch: upgrade Mistune to version 3.3.0 or later, which fixes the quadratic scanning in src/mistune/plugins/formatting.py (fix commit 96d0f57f8fe9eeb06bb4cff521962a27d7c402e7, release https://github.com/lepture/mistune/releases/tag/v3.3.0). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all production systems and applications using Mistune; document which formatting plugins are active. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-407 – Inefficient Algorithmic Complexity
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42329