CVE-2026-59924
MEDIUM
NVD
CVSS Score
5.9
Severity
MEDIUM
Published
Jul 08, 2026
Vendor
unknown
Description
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, Include.parse() joins and normalizes user-supplied include paths without verifying that the result remains within the intended markdown directory, allowing crafted include paths to access files outside that directory when markdown files are processed using md.read(). This issue is fixed in version 3.3.0.