Cross-site scripting (XSS) vulnerability in the _keyify function in mistune.py in Mistune before 0.8.1 allows remote attackers to inject arbitrary web script or HTML by leveraging failure to escape the "key" argument.

Affected Packages

PyPI mistune

Affected versions: 0 (fixed in 0.8.1)

Related CVEs

CVE-2017-16876

Key Information

GHSA ID

GHSA-98gj-wwxm-cj3h

Published

January 4, 2019 5:47 PM

Last Modified

September 24, 2024 9:24 PM

CVSS Score

5.0 /10

Primary Ecosystem

PyPI

Primary Package

mistune

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 31, 2025 6:33 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.