EXECUTIVE SUMMARY:
CVE-2026-33079 with a CVSS score of 8.7 is a ReDoS (Regular Expression Denial of Service) vulnerability in the LINK_TITLE_RE regular expression used by the mistune package in versions 3.0.0a1 through 3.2.0. This vulnerability allows an attacker who can supply Markdown for parsing to cause denial of service by triggering catastrophic backtracking in the regular expression engine. The attacker can exploit this vulnerability by supplying a crafted Markdown document, which can be achieved through normal Markdown parsing of inline links or block link reference definitions. The capability gained by the attacker is a significant CPU consumption, making applications using Mistune unresponsive. The business impact and consequences of exploiting this vulnerability are a denial-of-service attack, which can lead to downtime, lost productivity, and potential financial losses. To exploit this vulnerability, the attacker requires access to the system where Mistune is being used and the ability to supply Markdown for parsing, which can be achieved through various means such as user input or file uploads.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-33079 with a CVSS score of 8.7 is a ReDoS (Regular Expression Denial of Service) vulnerability in the LINK_TITLE_RE regular expression used by the mistune package in versions 3.0.0a1 through 3.2.0. This vulnerability allows an attacker who can supply Markdown for parsing to cause denial of service by triggering catastrophic backtracking in the regular expression engine. The attacker can exploit this vulnerability by supplying a crafted Markdown document, which can be achieved through normal Markdown parsing of inline links or block link reference definitions. The capability gained by the attacker is a significant CPU consumption, making applications using Mistune unresponsive. The business impact and consequences of exploiting this vulnerability are a denial-of-service attack, which can lead to downtime, lost productivity, and potential financial losses. To exploit this vulnerability, the attacker requires access to the system where Mistune is being used and the ability to supply Markdown for parsing, which can be achieved through various means such as user input or file uploads.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update mistune to version 3.2.1.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-8mp2-v27r-99xp