Python-Markdown version 3.8 contain a vulnerability where malformed HTML-like sequences can cause html.parser.HTMLParser to raise an unhandled AssertionError during Markdown parsing. Because Python-Markdown does not catch this exception, any application that processes attacker-controlled Markdown may crash. This enables remote, unauthenticated Denial of Service in web applications, documentation systems, CI/CD pipelines, and any service that renders untrusted Markdown. The issue was acknowledged by the vendor and fixed in version 3.8.1. This issue causes a remote Denial of Service in any application parsing untrusted Markdown, and can lead to Information Disclosure through uncaught exceptions.
https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-69534.json
https://github.com/Python-Markdown/markdown/issues/1534
https://github.com/Python-Markdown/markdown/actions/runs/15736122892
https://github.com/Python-Markdown/markdown
https://bugzilla.redhat.com/show_bug.cgi?id=2444839
https://access.redhat.com/security/cve/CVE-2025-69534
https://access.redhat.com/errata/RHSA-2026:9742
https://access.redhat.com/errata/RHSA-2026:20677
https://access.redhat.com/errata/RHSA-2026:20676
https://access.redhat.com/errata/RHSA-2026:20674
https://access.redhat.com/errata/RHSA-2026:19366
https://access.redhat.com/errata/RHSA-2026:19155
https://access.redhat.com/errata/RHSA-2026:14874
https://access.redhat.com/errata/RHSA-2026:14873
https://access.redhat.com/errata/RHSA-2026:14835
https://access.redhat.com/errata/RHSA-2026:13826
https://access.redhat.com/errata/RHSA-2026:13512
https://access.redhat.com/errata/RHSA-2026:13508
Published: 2026-03-05
Updated: 2026-06-30
Base Score: 7.8
Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C
Severity: High
Base Score: 7.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Severity: High
Base Score: 6.9
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Severity: Medium
EPSS: 0.00071