<?xml version='1.0' encoding='UTF-8'?>
<?xml-stylesheet href="/static/style.xsl" type="text/xsl"?>
<rss xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/" version="2.0">
  <channel>
    <title>Most recent sightings.</title>
    <link>https://vulnerability.circl.lu</link>
    <description>Contains only the most 10 recent sightings.</description>
    <docs>http://www.rssboard.org/rss-specification</docs>
    <generator>python-feedgen</generator>
    <language>en</language>
    <lastBuildDate>Mon, 13 Jul 2026 02:02:21 +0000</lastBuildDate>
    <item>
      <title>5e1dd53e-97ce-4bcb-b6e7-c1e3e3a9b426</title>
      <link>https://vulnerability.circl.lu/sighting/5e1dd53e-97ce-4bcb-b6e7-c1e3e3a9b426/export</link>
      <description>{"uuid": "5e1dd53e-97ce-4bcb-b6e7-c1e3e3a9b426", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-49851", "type": "published-proof-of-concept", "source": "https://github.com/lepture/mistune/security/advisories/GHSA-qcq2-496w-v96p", "content": "", "creation_timestamp": "2026-07-10T00:35:02.577008Z"}</description>
      <content:encoded>{"uuid": "5e1dd53e-97ce-4bcb-b6e7-c1e3e3a9b426", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-49851", "type": "published-proof-of-concept", "source": "https://github.com/lepture/mistune/security/advisories/GHSA-qcq2-496w-v96p", "content": "", "creation_timestamp": "2026-07-10T00:35:02.577008Z"}</content:encoded>
      <guid isPermaLink="false">https://vulnerability.circl.lu/sighting/5e1dd53e-97ce-4bcb-b6e7-c1e3e3a9b426/export</guid>
      <pubDate>Fri, 10 Jul 2026 00:35:02 +0000</pubDate>
    </item>
    <item>
      <title>f8f579d5-28c9-4654-8372-15a2b2d00d75</title>
      <link>https://vulnerability.circl.lu/sighting/f8f579d5-28c9-4654-8372-15a2b2d00d75/export</link>
      <description>{"uuid": "f8f579d5-28c9-4654-8372-15a2b2d00d75", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49851", "type": "seen", "source": "https://gist.github.com/alon710/ac77807be35ab79d5b8543a7caac77a2", "content": "# CVE-2026-49851: CVE-2026-49851: Algorithmic Complexity Denial of Service in Mistune Markdown Parser\n\n&amp;gt; **CVSS Score:** 7.5\n&amp;gt; **Published:** 2026-07-09\n&amp;gt; **Full Report:** https://cvereports.com/reports/CVE-2026-49851\n\n## Summary\nCVE-2026-49851 is a high-severity algorithmic complexity vulnerability in the Mistune Markdown parser. Under specific conditions involving dense, unmatched nesting of opening square brackets, the parser fallback loops degrade from linear execution time to a worst-case quadratic complexity. This allows unauthenticated remote attackers to trigger complete CPU exhaustion and subsequent Denial of Service with a highly compact payload.\n\n## TL;DR\nAn algorithmic complexity degradation in the Mistune Markdown parser allows unauthenticated remote attackers to exhaust CPU resources and cause a persistent denial of service via malformed nested bracket sequences.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-407\n- **Attack Vector**: Network\n- **CVSS v3.1 Score**: 7.5 (High)\n- **CVSS v4.0 Score**: 8.7 (High)\n- **Impact**: Denial of Service / CPU Exhaustion\n- **Exploit Status**: PoC available\n- **KEV Status**: Not listed\n\n## Affected Systems\n\n- Mistune Markdown Parser (PyPI Package)\n- **mistune**: &amp;lt; 3.3.0 (Fixed in: `3.3.0`)\n\n## Mitigation\n\n- Upgrade the Mistune dependency to version 3.3.0 or higher.\n- Deploy custom WAF rules to detect and drop payloads with consecutive open brackets.\n- Implement application-level input sanitization to filter or reject abnormal bracket nesting.\n\n**Remediation Steps:**\n1. Identify all python environments utilizing the mistune package.\n2. Execute pip install --upgrade mistune&amp;gt;=3.3.0 in the target environment.\n3. Deploy input inspection middleware to drop inputs containing sequence structures of 30 or more consecutive unmatched brackets.\n\n## References\n\n- [GitHub Security Advisory GHSA-qcq2-496w-v96p](https://github.com/lepture/mistune/security/advisories/GHSA-qcq2-496w-v96p)\n- [National Vulnerability Database record CVE-2026-49851](https://nvd.nist.gov/vuln/detail/CVE-2026-49851)\n- [Red Hat Security Advisory Record](https://access.redhat.com/security/cve/CVE-2026-49851)\n- [Red Hat Bugzilla Bug Tracker](https://bugzilla.redhat.com/show_bug.cgi?id=2492304)\n- [Red Hat Security CSAF VEX File Export](https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-49851.json)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-49851) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-07-10T00:11:46.559459Z"}</description>
      <content:encoded>{"uuid": "f8f579d5-28c9-4654-8372-15a2b2d00d75", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49851", "type": "seen", "source": "https://gist.github.com/alon710/ac77807be35ab79d5b8543a7caac77a2", "content": "# CVE-2026-49851: CVE-2026-49851: Algorithmic Complexity Denial of Service in Mistune Markdown Parser\n\n&amp;gt; **CVSS Score:** 7.5\n&amp;gt; **Published:** 2026-07-09\n&amp;gt; **Full Report:** https://cvereports.com/reports/CVE-2026-49851\n\n## Summary\nCVE-2026-49851 is a high-severity algorithmic complexity vulnerability in the Mistune Markdown parser. Under specific conditions involving dense, unmatched nesting of opening square brackets, the parser fallback loops degrade from linear execution time to a worst-case quadratic complexity. This allows unauthenticated remote attackers to trigger complete CPU exhaustion and subsequent Denial of Service with a highly compact payload.\n\n## TL;DR\nAn algorithmic complexity degradation in the Mistune Markdown parser allows unauthenticated remote attackers to exhaust CPU resources and cause a persistent denial of service via malformed nested bracket sequences.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-407\n- **Attack Vector**: Network\n- **CVSS v3.1 Score**: 7.5 (High)\n- **CVSS v4.0 Score**: 8.7 (High)\n- **Impact**: Denial of Service / CPU Exhaustion\n- **Exploit Status**: PoC available\n- **KEV Status**: Not listed\n\n## Affected Systems\n\n- Mistune Markdown Parser (PyPI Package)\n- **mistune**: &amp;lt; 3.3.0 (Fixed in: `3.3.0`)\n\n## Mitigation\n\n- Upgrade the Mistune dependency to version 3.3.0 or higher.\n- Deploy custom WAF rules to detect and drop payloads with consecutive open brackets.\n- Implement application-level input sanitization to filter or reject abnormal bracket nesting.\n\n**Remediation Steps:**\n1. Identify all python environments utilizing the mistune package.\n2. Execute pip install --upgrade mistune&amp;gt;=3.3.0 in the target environment.\n3. Deploy input inspection middleware to drop inputs containing sequence structures of 30 or more consecutive unmatched brackets.\n\n## References\n\n- [GitHub Security Advisory GHSA-qcq2-496w-v96p](https://github.com/lepture/mistune/security/advisories/GHSA-qcq2-496w-v96p)\n- [National Vulnerability Database record CVE-2026-49851](https://nvd.nist.gov/vuln/detail/CVE-2026-49851)\n- [Red Hat Security Advisory Record](https://access.redhat.com/security/cve/CVE-2026-49851)\n- [Red Hat Bugzilla Bug Tracker](https://bugzilla.redhat.com/show_bug.cgi?id=2492304)\n- [Red Hat Security CSAF VEX File Export](https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-49851.json)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-49851) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-07-10T00:11:46.559459Z"}</content:encoded>
      <guid isPermaLink="false">https://vulnerability.circl.lu/sighting/f8f579d5-28c9-4654-8372-15a2b2d00d75/export</guid>
      <pubDate>Fri, 10 Jul 2026 00:11:46 +0000</pubDate>
    </item>
  </channel>
</rss>
