CVE-2026-33441: Mistune has a Denial-of-Service (DoS) vulnerability

May 6, 2026

Denial-of-Service (DoS) vulnerability in the Mistune Markdown parser. The issue occurs when processing specially crafted reference links, which can cause excessive parsing and CPU consumption, leading to application hangs.

Function affected: parse_link_title() in helpers.py Issue: Malformed reference links cause excessive backtracking and parsing loops. Impact: Remote attackers can submit malicious Markdown to hang processes, causing service unavailability.

References

github.com/advisories/GHSA-hjph-f4mc-wx4c
github.com/lepture/mistune
github.com/lepture/mistune/security/advisories/GHSA-hjph-f4mc-wx4c
nvd.nist.gov/vuln/detail/CVE-2026-33441

Code Behaviors & Features

Detect and mitigate CVE-2026-33441 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →