SUSE alert openSUSE-SU-2026:20827-1 (python-mistune)
| From: | null@suse.de | |
| To: | security-announce@lists.opensuse.org | |
| Subject: | openSUSE-SU-2026:20827-1: important: Security update for python-mistune | |
| Date: | Fri, 29 May 2026 17:51:21 +0200 | |
| Message-ID: | <20260529155121.4FFD2FD89@maintenance.suse.de> | |
| Archive-link: | Article |
openSUSE security update: security update for python-mistune ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:20827-1 Rating: important References: * bsc#1264347 * bsc#1264750 * bsc#1264751 * bsc#1264752 * bsc#1264754 * bsc#1265052 * bsc#1265053 Cross-References: * CVE-2026-33079 * CVE-2026-33441 * CVE-2026-44708 * CVE-2026-44896 * CVE-2026-44897 * CVE-2026-44898 * CVE-2026-44899 CVSS scores: * CVE-2026-33079 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-33079 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-33441 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-33441 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-44708 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N * CVE-2026-44708 ( SUSE ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N * CVE-2026-44896 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N * CVE-2026-44896 ( SUSE ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N * CVE-2026-44897 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N * CVE-2026-44897 ( SUSE ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N * CVE-2026-44898 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N * CVE-2026-44898 ( SUSE ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N * CVE-2026-44899 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N * CVE-2026-44899 ( SUSE ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N Affected Products: openSUSE Leap 16.0 ------------------------------------------------------------- An update that solves 7 vulnerabilities and has 7 bug fixes can now be installed. Description: This update for python-mistune fixes the following issues - CVE-2026-33079: ReDoS in `LINK_TITLE_RE` can lead to denial of service via a crafted Markdown (bsc#1264347). - CVE-2026-33441: processing of malformed reference links can lead to excessive resource consumption and denial of service (bsc#1264752). - CVE-2026-44708: improper HTML escaping in the math plugin can lead to XSS (bsc#1264751). - CVE-2026-44896: improper escaping in `render_figure` can lead to attribute injection and XSS (bsc#1264754). - CVE-2026-44897: improper sanitization of user-controlled input in `HTMLRenderer.heading` can lead to XSS (bsc#1264750). - CVE-2026-44898: improper sanitization of user-supplied HTML input in `render_toc_ul` can lead to XSS (bsc#1265052). - CVE-2026-44899: improper input verification in Image directive plugin and improper escaping in `render_block_image` can lead to CSS injection (bsc#1265053). Patch instructions: To install this openSUSE security update use the suse recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 16.0 zypper in -t patch openSUSE-Leap-16.0-816=1 Package List: - openSUSE Leap 16.0: python313-mistune-3.1.3-160000.3.1 References: * https://www.suse.com/security/cve/CVE-2026-33079.html * https://www.suse.com/security/cve/CVE-2026-33441.html * https://www.suse.com/security/cve/CVE-2026-44708.html * https://www.suse.com/security/cve/CVE-2026-44896.html * https://www.suse.com/security/cve/CVE-2026-44897.html * https://www.suse.com/security/cve/CVE-2026-44898.html * https://www.suse.com/security/cve/CVE-2026-44899.html