Vulnerability Details CVE-2026-59927
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, the Include directive in src/mistune/directives/include.py detects only direct self-includes and not indirect cycles, allowing two markdown files that include each other to trigger unbounded recursion, raise RecursionError, and crash the rendering request. This issue is fixed in version 3.3.0.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 22.6%
CVSS Severity
CVSS v3 Score 5.3
Products affected by CVE-2026-59927
-
cpe:2.3:a:mistune_project:mistune:0.1.0
-
cpe:2.3:a:mistune_project:mistune:0.2.0
-
cpe:2.3:a:mistune_project:mistune:0.3.0
-
cpe:2.3:a:mistune_project:mistune:0.3.1
-
cpe:2.3:a:mistune_project:mistune:0.4
-
cpe:2.3:a:mistune_project:mistune:0.4.1
-
cpe:2.3:a:mistune_project:mistune:0.5
-
cpe:2.3:a:mistune_project:mistune:0.5.1
-
cpe:2.3:a:mistune_project:mistune:0.6
-
cpe:2.3:a:mistune_project:mistune:0.7
-
cpe:2.3:a:mistune_project:mistune:0.7.1
-
cpe:2.3:a:mistune_project:mistune:0.7.2
-
cpe:2.3:a:mistune_project:mistune:0.7.3
-
cpe:2.3:a:mistune_project:mistune:0.7.4
-
cpe:2.3:a:mistune_project:mistune:0.8
-
cpe:2.3:a:mistune_project:mistune:0.8.1
-
cpe:2.3:a:mistune_project:mistune:0.8.2
-
cpe:2.3:a:mistune_project:mistune:0.8.3
-
cpe:2.3:a:mistune_project:mistune:0.8.4
-
cpe:2.3:a:mistune_project:mistune:2.0.0
-
cpe:2.3:a:mistune_project:mistune:2.0.1
-
cpe:2.3:a:mistune_project:mistune:2.0.2
-
cpe:2.3:a:mistune_project:mistune:2.0.3
-
cpe:2.3:a:mistune_project:mistune:2.0.4
-
cpe:2.3:a:mistune_project:mistune:2.0.5
-
cpe:2.3:a:mistune_project:mistune:3.0.0
-
cpe:2.3:a:mistune_project:mistune:3.0.1
-
cpe:2.3:a:mistune_project:mistune:3.0.2
-
cpe:2.3:a:mistune_project:mistune:3.1.0
-
cpe:2.3:a:mistune_project:mistune:3.1.1
-
cpe:2.3:a:mistune_project:mistune:3.1.2
-
cpe:2.3:a:mistune_project:mistune:3.1.3
-
cpe:2.3:a:mistune_project:mistune:3.1.4
-
cpe:2.3:a:mistune_project:mistune:3.2.0
-
cpe:2.3:a:mistune_project:mistune:3.2.1