CVE-2017-15612
MEDIUM6.1EPSS 0.12%Cross-site Scripting in Mistune
Published: 5/17/2022Modified: 4/28/2026
Description
mistune.py in Mistune 0.7.4 allows XSS via an unexpected newline (such as in java\nscript:) or a crafted email address, related to the escape and autolink functions.
Affected packages (3)
- Debian/mistunefrom 0, < 0.8-1
- PyPI/mistunefrom 0, < 0.8
- PyPI/mistunefrom 0, < 0.8
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
References (7)
- ADVISORYhttps://github.com/advisories/GHSA-hpv5-v8g5-c864
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2017-15612
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2017-15612
- PATCHhttps://github.com/lepture/mistune
- WEBhttps://github.com/lepture/mistune/commit/d6f0b6402299bf5a380e7b4e77bd80e8736630fe
- WEBhttps://github.com/lepture/mistune/pull/140
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/mistune/PYSEC-2017-80.yaml