Listen to this Post
How the CVE Works
The vulnerability originates in the `render_figure()` function within the `mistune/directives/image.py` module (lines 152-168). When processing a Markdown `:::{figure}` directive, this function constructs the HTML `
HTMLRenderer(escape=True), as these parameters are not processed by the inline renderer, which would otherwise encode dangerous characters like <, >, and ". An attacker can craft a malicious Markdown file containing a `:::{figure}` directive with a `figclass` or `figwidth` value that includes a double quote followed by an event handler, e.g., " onload="alert(/XSS/)". When processed, the vulnerable function outputs an HTML string like <figure class="' onload='alert(/XSS/)">. The browser interprets this as a legitimate attribute, causing the JavaScript to execute when the element loads. This injection is possible because the code directly concatenates the raw user-supplied string into the HTML template:
Simplified vulnerable logic html = '<figure class="' + figclass + '">'
Instead of using an escaping function, the developer treated `figclass` as a safe value. Notably, other attributes like src, alt, and `style` in the same file are properly escaped, but `figclass` and `figwidth` were overlooked, making this injection path uniquely accessible.
DailyCVE Form
Platform: Mistune (Python package) Version: <= 3.2.0 Vulnerability: XSS via unescaped figclass/figwidth Severity: Medium (CVSS 5.3) date: 2026-05-08 Prediction: 2026-05-10 (patch expected)
Analytics under What Undercode Say
Bash Commands to Check/Elevate
- Check installed version
pip show mistune | grep Version
- Upgrade to patched version
pip install --upgrade mistune>=3.2.1
- Test for vulnerability (Proof-of-Concept)
python -c "from mistune import create_markdown; md = create_markdown(renderer='html'); print(md(':::{figure} :::'))"
Python Proof-of-Concept
from mistune import create_markdown
md = create_markdown(renderer='html')
Vulnerable payload
payload = '''
:::{figure}
:figclass: " onload="alert('XSS')"
:alt: safe alt
:::
'''
print(md(payload))
Expected output includes unescaped double quotes: class=" onload="alert('XSS')"
Exploit
An attacker provides a specially crafted Markdown file that includes a `:::{figure}` directive. The `figclass` or `figwidth` parameter includes a double quote and an event handler, e.g., " onload="alert(document.cookie)". The Python application using Mistune to convert untrusted Markdown to HTML will generate a `
Protection from this CVE
- Immediate Action: Upgrade Mistune to version 3.2.1 or higher, which includes proper escaping for the `figclass` and `figwidth` attributes.
- Workaround (if upgrading is not possible): Disable the figure directive in the Markdown parser configuration, specifically avoiding the use of `:::{figure}` blocks.
- Long-term Strategy: Implement a Content Security Policy (CSP) to mitigate the impact of XSS, and use a Markdown parser that provides robust, built-in XSS protection.
Impact
- Confidentiality: An attacker can access sensitive information (cookies, session data) from the victim’s browser, potentially leading to account takeover.
- Integrity: Malicious scripts can modify the content of the page, perform unauthorized actions on behalf of the user, or redirect the user to phishing sites.
- Availability: While not directly causing a Denial of Service, the XSS can be used in conjunction with other attacks to disrupt the user’s experience.
- Scope: The vulnerability affects any application that uses Mistune to process user-submitted Markdown and renders HTML with the figure directive enabled. Since the default `HTMLRenderer(escape=True)` is bypassed, applications that relied on this flag for security are still vulnerable.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
