CVE-2026-33079: Mistune has a ReDoS in LINK_TITLE_RE that allows denial of service via crafted Markdown i…

Summary A ReDoS (Regular Expression Denial of Service) vulnerability in LINK_TITLE_RE allows an attacker who can supply Markdown for parsing to cause denial of service. A crafted 58-byte Markdown document blocks the par…

7.5CVSS Score

HIGHSeverity

NOCISA KEV

VulnerabilityImpact Type

📋 Vulnerability Details

CVE ID	CVE-2026-33079
Vendor	pip
Affected Product	mistune
Vulnerability Type	Vulnerability
CVSS Score	7.5 (HIGH)
Actively Exploited	❌ No known exploitation
Patch Status	See Vendor Advisory →
Reported By	CYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories)

🔬 Technical Analysis

Summary A ReDoS (Regular Expression Denial of Service) vulnerability in `LINK_TITLE_RE` allows an attacker who can supply Markdown for parsing to cause denial of service. A crafted 58-byte Markdown document blocks the parser for approximately 6 seconds (measured on Apple M2, Python 3.14.3), with exponential growth per additional byte pair.

Details The vulnerable regex is defined in [`src/mistune/helpers.py#L20-L25`](https://github.com/lepture/mistune/blob/df23edd60b43b639d2e6760ef9dd3d618aa11c21/src/mistune/helpers.py#L20-L25): ```python`


LINK_TITLE_RE = re.compile( r"[ \t\n]+(" r'"(?:\\' + PUNCTUATION + r'|[^"\x00])*"|'
"title" r"'(?:\\" + PUNCTUATION + r"|[^'\x00])*'"
'title' r")"

) ` The double-quote branch compiles to "(?:\\[PUNCTUATION]|[^"\x00])*"`. The two alternatives

🎯 Known Indicators of Compromise

{"type":"sha1","value":"df23edd60b43b639d2e6760ef9dd3d618aa11c21","confidence_score":0.9,"first_seen":"2026-05-06","source_count":1} {"type":"url","value":"https://github.com/lepture/mistune/blob/df23edd60b43b639d2e6760ef9dd3d618aa11c21/src/mistune/helpers","confidence_score":0.82,"first_seen":"2026-05-06","source_count":1}

📚 Advisory References

⚡ DETECTION RULES AVAILABLE

Get CVE-2026-33079 Detection Pack

Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.

✓ Sigma Rules ✓ YARA Pack ✓ IOC Table ✓ SIEM Queries

🛡️ Get Detection Pack → 🔌 Access via API →

CVE-2026-33079: Mistune has a ReDoS in LINK_TITLE_RE that allows denial of service via crafted Markdown i…

📋 Vulnerability Details

🔬 Technical Analysis

Details The vulnerable regex is defined in [src/mistune/helpers.py#L20-L25](https://github.com/lepture/mistune/blob/df23edd60b43b639d2e6760ef9dd3d618aa11c21/src/mistune/helpers.py#L20-L25): ``python

"title" r"'(?:\\" + PUNCTUATION + r"|[^'\x00])*'"

'title' r")"

🎯 Known Indicators of Compromise

📚 Advisory References

Get CVE-2026-33079 Detection Pack

🔗 Related Intelligence

Details The vulnerable regex is defined in [`src/mistune/helpers.py#L20-L25`](https://github.com/lepture/mistune/blob/df23edd60b43b639d2e6760ef9dd3d618aa11c21/src/mistune/helpers.py#L20-L25): ```python`