CVE-2026-7210

MEDIUM EPSS 51.7%
Published May 11, 20261mo ago · Modified Jun 17, 20261w ago
6.3 CVSS 4.0
Medium
Find Similar
Published May 11, 2026 1mo ago
Last Modified Jun 17, 2026 1w ago

Description

`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\r\n\r\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch.

CVSS Details

Base Score
6.3
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
51.7% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-331

Affected Products 1

VendorProductVersionRange
pythonpython* <3.15.0

References 9

  • openwall.com http://www.openwall.com/lists/oss-security/2026/05/11/13
    Mailing ListThird Party Advisory
  • openwall.com http://www.openwall.com/lists/oss-security/2026/05/11/8
    Mailing ListThird Party Advisory
  • github.com https://github.com/python/cpython/commit/24b8f12544468e4cedf5bfbe25442fcd495391e4
    Patch
  • github.com https://github.com/python/cpython/commit/3573b3b1ecbd99030a0b18658e1bfece771b2566
    Patch
  • github.com https://github.com/python/cpython/commit/eeea765cb9d8f1fc3d8918b272ac3c477983f27a
    Patch
  • github.com https://github.com/python/cpython/commit/fc9b11ff49cbc82e6f917d07a61517a2b5f3145f
    Patch
  • github.com https://github.com/python/cpython/issues/149018
    Issue Tracking
  • github.com https://github.com/python/cpython/pull/149023
    Issue TrackingPatch
  • mail.python.org https://mail.python.org/archives/list/security-announce@python.org/thread/PNY5OMBDPM2FRUZTWFFPJ6LISWKV627K/
    Mailing ListThird Party Advisory

Remediation

  • github.com https://github.com/python/cpython/commit/24b8f12544468e4cedf5bfbe25442fcd495391e4
    Patch
  • github.com https://github.com/python/cpython/commit/3573b3b1ecbd99030a0b18658e1bfece771b2566
    Patch
  • github.com https://github.com/python/cpython/commit/eeea765cb9d8f1fc3d8918b272ac3c477983f27a
    Patch
  • github.com https://github.com/python/cpython/commit/fc9b11ff49cbc82e6f917d07a61517a2b5f3145f
    Patch
  • github.com https://github.com/python/cpython/pull/149023
    Issue TrackingPatch