Vulnerability in Lepture Mistune

CVE-2026-33079

In versions 3.0.0a1 through 3.2.0 of Mistune, there is a ReDoS (Regular Expression Denial of Service) vulnerability in `LINK_TITLE_RE` that allows an attacker who can supply Markdown for parsing to cause denial of service. The regular expr…

Vulnerability class: ReDoS (Regular Expression Denial of Service)

EPSS: 0.000 (5.8th percentile) — read the EPSS interpretation.

Affected products

Lepture Mistune — versions >=3.0.0a1, <= 3.2.0

Weakness classification (CWE)

CWE-1333 — Inefficient Regular Expression Complexity

References

https://github.com/lepture/mistune/security/advisories/GHSA-8mp2-v27r-99xp (x_refsource_CONFIRM)
https://github.com/lepture/mistune/blob/df23edd60b43b639d2e6760ef9dd3d618aa11c21/src/mistune/helpers.py#L20-L25 (x_refsource_MISC)