Listen to this Post
The vulnerability exists in Mistune’s `render_toc_ul()` function, which builds an HTML table of contents from a list of `(level, id, text)` tuples. Both the `id` (used as the `href` fragment) and the `text` (used as the link label) are inserted into `` tags using a Python format string with no HTML escaping applied to either value.
The issue is triggered when a custom `heading_id` callback is registered—a common pattern for generating human-readable “slug” anchors from heading text, such as installation. An attacker who controls the heading content can break out of the `href=”…”` attribute.
The attack begins by crafting a Markdown heading whose text is designed to terminate the `id=”…”` attribute and inject arbitrary HTML. For example:
` x”>`
</a>`</h2>
The injected `<script>` block is live in the HTML document, executing the JavaScript. This vulnerability is closely related to H2 (unescaped `id=` in `heading()`). The same vulnerable callback pattern triggers both issues simultaneously in typical documentation setups.
The default TOC hook uses safe, auto-incremented numeric IDs (`toc_1`, `toc_2`, etc.) and is not vulnerable. However, most real-world documentation generators enable the vulnerable custom callback.
The proof-of-concept script provided in the advisory demonstrates the full attack, generates an HTML report, and shows the script executing in a browser. The impact allows arbitrary JavaScript execution, including session theft and phishing.
<h2 style="color: blue;">DailyCVE Form</h2>
Platform: Mistune
Version: 3.2.0
Vulnerability: XSS
Severity: Critical
date: 2026-05-14
<h2 style="color: blue;">Prediction: 2026-05-14</h2>
<h2 style="color: blue;">What Undercode Say:</h2>
[bash]
Check installed version
pip show mistune | grep Version
Update to patched version
pip install --upgrade mistune==3.2.1
Verify the update
python -c "import mistune; print(mistune.__version__)"
Python script to demonstrate the vulnerability
!/usr/bin/env python3
from mistune import create_markdown
from mistune.toc import add_toc_hook, render_toc_ul
def raw_id(token, index):
return token.get("text", "") Returns unsanitized heading text as ID
md = create_markdown(escape=True)
add_toc_hook(md, heading_id=raw_id) Enable vulnerable callback
exploit_src = ' x"><script>alert(document.cookie)</script><a href="'
_, state = md.parse(exploit_src)
malicious_toc = render_toc_ul(state.env.get("toc_items", []))
print(malicious_toc) Output contains injected script
Exploit:
` x”>Protection from this CVE:
Upgrade to Mistune version 3.2.1 or later, which patches the vulnerability by properly escaping the heading ID and text values in the TOC output. If upgrading is not immediately possible, sanitize any user-supplied heading text before passing it to the `heading_id` callback or avoid using custom `heading_id` callbacks that return unsanitized user input.
Impact:
| Dimension | Assessment |
| : | : |
| Confidentiality | Full session cookie theft and exfiltration of any data accessible from the page's origin. |
| Integrity | Arbitrary DOM manipulation, injection of phishing forms, forced redirects to malicious sites. |
| Availability | Page crashes or freezes as a secondary effect of injected scripts. |
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: [github.com](https://github.com/advisories/GHSA-6269-cqxg-mhhv)
Extra Source Hub:
Undercode
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
[💬 Whatsapp](https://undercode.help/whatsapp) | [💬 Telegram](https://t.me/UndercodeCommunity)
📢 Follow DailyCVE & Stay Tuned:
| Integrity | Arbitrary DOM manipulation, injection of phishing forms, forced redirects to malicious sites. |
| Availability | Page crashes or freezes as a secondary effect of injected scripts. |
Extra Source Hub:
Undercode

