Mistune is a Python Markdown parser. Before version 3.2.1, the HTMLRenderer.heading() method constructs the opening <hN> tag by concatenating the id attribute value directly into the tag without any escaping or sanitisation. Because a double‑quote in the id value ends the attribute, an attacker can inject arbitrary attributes—including event handlers such as onclick, or dangerous src and href values—into the heading element. This flaw makes the application vulnerable to reflected or stored XSS and allows arbitrary client‑side script execution when the rendered Markdown is displayed in a browser. The weakness is identified as CWE‑79.

The vulnerability affects the Mistune library released by Lepture. Any deployments using Mistune versions older than 3.2.1 that render Markdown to HTML are potentially impacted. Versions 3.2.0 and earlier are the only releases where the described id handling logic exists.

The CVSS score of 6.1 indicates moderate severity. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting no currently known widespread exploitation but still including it as a security concern. An attacker needs the ability to inject Markdown content that will be rendered by a vulnerable Mistune instance—typically a web application or content management system that directly trusts Markdown input. Execution would occur in viewers’ browsers if they load the page, leading to potential data theft or defacement. The lack of sanitisation makes exploitation straightforward for an application that renders user‑supplied Markdown without additional filtering.