Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-delivered XSS requiring victim page-load (UI:R, PR:N); scope changes to browser context (S:C); no confidentiality or integrity impact beyond browser session.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, render_admonition() in src/mistune/directives/admonition.py concatenates the Admonition directive :class: option into the HTML class attribute without escaping, allowing attribute injection and cross-site scripting even when HTMLRenderer escape mode is enabled. This issue is fixed in version 3.2.1.
AnalysisAI
Cross-site scripting in Mistune (Python Markdown parser) prior to version 3.2.1 allows injection of arbitrary HTML attributes via the Admonition directive's :class: option, critically bypassing HTMLRenderer escape mode even when it is explicitly enabled. Applications that render user-controlled Markdown with admonition directives and serve the resulting HTML to web browsers are exposed to stored or reflected XSS, enabling session hijacking, credential theft, or malicious DOM manipulation. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires three concurrent conditions: (1) the target application uses Mistune with the directives/admonition plugin active, as the flaw is strictly isolated to `render_admonition()` in `src/mistune/directives/admonition.py` - applications not using admonition directives are not affected; (2) attacker-controlled input can supply Markdown admonition blocks containing a `:class:` option; and (3) the rendered HTML output is served to and viewed in a web browser by another user (stored XSS) or reflected back to the submitter (reflected XSS). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 5.3 (Medium) reflects network-reachable, low-complexity, zero-privilege exploitation requiring passive victim interaction (UI:P). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker submits a crafted Markdown document to a Mistune-powered wiki or documentation platform containing an admonition block with a malicious `:class:` value such as `" onmouseover="alert(document.cookie)"`, which closes the class attribute and injects an event handler. When Mistune renders this Markdown and the resulting HTML is served to a victim user who loads the page, the injected JavaScript executes in the victim's browser context, enabling theft of session tokens or redirection to a phishing page. … |
| Remediation | Upgrade Mistune to version 3.2.1 or later; this is the vendor-confirmed fix, delivered via commit a3cb6e5655308797e8be021d6c7b5bab13cbace2 and tagged at https://github.com/lepture/mistune/releases/tag/v3.2.1. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42334