PSF-2026-23
See a problem?- Import Source
- https://github.com/psf/advisory-database/blob/main/advisories/python/PSF-2026-23.json
- JSON Data
- https://api.osv.dev/v1/vulns/PSF-2026-23
- Aliases
- Published
- 2026-05-11T17:19:09.784Z
- Modified
- 2026-06-11T02:04:37.514083Z
- Summary
- [none]
- Details
-
xml.parsers.expatandxml.etree.ElementTreeuse insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\r\n\r\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch. - Database specific
{ "cwe_ids": [] }- References
-
- https://mail.python.org/archives/list/security-announce@python.org/thread/PNY5OMBDPM2FRUZTWFFPJ6LISWKV627K/
- https://github.com/python/cpython/pull/149023
- https://github.com/python/cpython/issues/149018
- https://github.com/python/cpython/commit/24b8f12544468e4cedf5bfbe25442fcd495391e4
- https://github.com/python/cpython/commit/3573b3b1ecbd99030a0b18658e1bfece771b2566
- https://github.com/python/cpython/commit/eeea765cb9d8f1fc3d8918b272ac3c477983f27a
- https://github.com/python/cpython/commit/fc9b11ff49cbc82e6f917d07a61517a2b5f3145f
Affected packages
Git / github.com/python/cpython
Affected ranges
- Type
- GIT
- Repo
- https://github.com/python/cpython
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixedFixedFixed
Affected versions
v0.*
v0.9.8
v0.9.9
v1.*
v1.0.1
v1.0.2
v1.1
v1.1.1
v1.2
v1.2b1
v1.2b2
v1.2b3
v1.2b4
v1.3
v1.3b1
v1.4
v1.4b1
v1.4b2
v1.4b3
v1.5
v1.5.1
v1.5.2
v1.5.2a1
v1.5.2a2
v1.5.2b1
v1.5.2b2
v1.5.2c1
v1.5a1
v1.5a2
v1.5a3
v1.5a4
v1.5b1
v1.5b2
v1.6a1
v1.6a2
v2.*
v2.0
v2.0b1
v2.0b2
v2.0c1
v2.1
v2.1a1
v2.1a2
v2.1b1
v2.1b2
v2.1c1
v2.1c2
v2.2a3
v2.3c1
v2.3c2
v2.4
v2.4a1
v2.4a2
v2.4a3
v2.4b1
v2.4b2
v2.4c1
v3.*
v3.0a1
v3.0a2
v3.0a3
v3.0a4
v3.0a5
v3.0b1
v3.0b2
v3.0b3
v3.0rc1
v3.0rc2
v3.0rc3
v3.1
v3.10.0a1
v3.10.0a7
v3.11.0a3
v3.11.0a4
v3.11.0a5
v3.11.0a6
v3.11.0a7
v3.11.0b1
v3.12.0a1
v3.12.0a2
v3.12.0a3
v3.12.0a4
v3.12.0a5
v3.12.0a6
v3.12.0a7
v3.12.0b1
v3.13.0
v3.13.0a1
v3.13.0a2
v3.13.0a3
v3.13.0a4
v3.13.0a5
v3.13.0a6
v3.13.0b1
v3.13.0b2
v3.13.0b3
v3.13.0b4
v3.13.0rc1
v3.13.0rc2
v3.13.0rc3
v3.13.1
v3.13.10
v3.13.11
v3.13.12
v3.13.13
v3.13.2
v3.13.3
v3.13.4
v3.13.5
v3.13.6
v3.13.7
v3.13.8
v3.14.0
v3.14.0a1
v3.14.0a2
v3.14.0a3
v3.14.0a4
v3.14.0a5
v3.14.0a6
v3.14.0a7
v3.14.0b1
v3.14.0b2
v3.14.0b3
v3.14.0b4
v3.14.0rc1
v3.14.0rc2
v3.14.0rc3
v3.14.1
v3.14.2
v3.14.3
v3.14.4
v3.14.5
v3.14.5rc1
v3.15.0a1
v3.15.0a2
v3.15.0a3
v3.15.0a4
v3.15.0a5
v3.15.0a6
v3.15.0a7
v3.15.0a8
v3.15.0b1
v3.1a1
v3.1a2
v3.1b1
v3.1rc1
v3.1rc2
v3.2a1
v3.2a2
v3.2a3
v3.2a4
v3.2b1
v3.2b2
v3.2rc1
v3.2rc2
v3.2rc3
v3.3.0a2
v3.3.0a3
v3.3.0a4
v3.3.0b1
v3.3.0b2
v3.3.0rc1
v3.3.0rc2
v3.3.0rc3
v3.4.0a1
v3.4.0a2
v3.4.0a3
v3.4.0a4
v3.4.0b1
v3.4.0b2
v3.4.0b3
v3.5.0a1
v3.5.0a2
v3.5.0a3
v3.5.0a4
v3.5.0b1
v3.6.0a3
v3.6.0b1
v3.7.0a2
v3.9.0a2
Database specific
vanir_signatures
[
{
"signature_type": "Line",
"id": "PSF-2026-23-13eab482",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"282054346468100250562588928679692945206",
"241745087690371911974619499003941746146"
]
},
"signature_version": "v1",
"target": {
"file": "Include/pyexpat.h"
},
"source": "https://github.com/python/cpython/commit/eeea765cb9d8f1fc3d8918b272ac3c477983f27a"
},
{
"signature_type": "Function",
"id": "PSF-2026-23-17d28da6",
"deprecated": false,
"digest": {
"length": 2990.0,
"function_hash": "100837677078581469210422368217459004578"
},
"signature_version": "v1",
"target": {
"function": "_elementtree_XMLParser___init___impl",
"file": "Modules/_elementtree.c"
},
"source": "https://github.com/python/cpython/commit/eeea765cb9d8f1fc3d8918b272ac3c477983f27a"
},
{
"signature_type": "Line",
"id": "PSF-2026-23-2da9aa18",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"200809790425200767353365779645814661145",
"338571468881071273146244236238519698763",
"158710132041207750309477001233984228072",
"52491913065894657274224157621680217981",
"231686096489310269328649624848028668734",
"9764412166215748283159686165100133222",
"143444819121599425158698232384205236527"
]
},
"signature_version": "v1",
"target": {
"file": "Include/internal/pycore_pyhash.h"
},
"source": "https://github.com/python/cpython/commit/3573b3b1ecbd99030a0b18658e1bfece771b2566"
},
{
"signature_type": "Function",
"id": "PSF-2026-23-40d083c4",
"deprecated": false,
"digest": {
"length": 2990.0,
"function_hash": "100837677078581469210422368217459004578"
},
"signature_version": "v1",
"target": {
"function": "_elementtree_XMLParser___init___impl",
"file": "Modules/_elementtree.c"
},
"source": "https://github.com/python/cpython/commit/24b8f12544468e4cedf5bfbe25442fcd495391e4"
},
{
"signature_type": "Line",
"id": "PSF-2026-23-426b5dbb",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"235540386729885170438800261319618750470",
"172128923270737101073236902300203403709",
"307193223577402528095909077030823192072",
"52491913065894657274224157621680217981",
"231686096489310269328649624848028668734",
"9764412166215748283159686165100133222",
"143444819121599425158698232384205236527"
]
},
"signature_version": "v1",
"target": {
"file": "Include/internal/pycore_pyhash.h"
},
"source": "https://github.com/python/cpython/commit/fc9b11ff49cbc82e6f917d07a61517a2b5f3145f"
},
{
"signature_type": "Line",
"id": "PSF-2026-23-45eda978",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"331466583639241250362361799100269972853",
"268201616245445465644069845275318051766",
"162056430873582821825539244461100327069",
"205189259492710410910413780725664212883"
]
},
"signature_version": "v1",
"target": {
"file": "Modules/_elementtree.c"
},
"source": "https://github.com/python/cpython/commit/3573b3b1ecbd99030a0b18658e1bfece771b2566"
},
{
"signature_type": "Line",
"id": "PSF-2026-23-588d9fcd",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"282054346468100250562588928679692945206",
"241745087690371911974619499003941746146"
]
},
"signature_version": "v1",
"target": {
"file": "Include/pyexpat.h"
},
"source": "https://github.com/python/cpython/commit/3573b3b1ecbd99030a0b18658e1bfece771b2566"
},
{
"signature_type": "Function",
"id": "PSF-2026-23-5e07327e",
"deprecated": false,
"digest": {
"length": 2990.0,
"function_hash": "100837677078581469210422368217459004578"
},
"signature_version": "v1",
"target": {
"function": "_elementtree_XMLParser___init___impl",
"file": "Modules/_elementtree.c"
},
"source": "https://github.com/python/cpython/commit/3573b3b1ecbd99030a0b18658e1bfece771b2566"
},
{
"signature_type": "Line",
"id": "PSF-2026-23-6078bfbf",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"139223617181001955104759715207834526056",
"228426983551421850305035845652555746849",
"157063243252423991660603289123046198519",
"126873213760035561109826808365762501927",
"156149891684222126871834519137026026373",
"285177093540853341381039225061555051327",
"123367630945934901850591089140463774569",
"203907525583600214249590754539200999315"
]
},
"signature_version": "v1",
"target": {
"file": "Modules/pyexpat.c"
},
"source": "https://github.com/python/cpython/commit/24b8f12544468e4cedf5bfbe25442fcd495391e4"
},
{
"signature_type": "Line",
"id": "PSF-2026-23-6f2ef549",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"282054346468100250562588928679692945206",
"241745087690371911974619499003941746146"
]
},
"signature_version": "v1",
"target": {
"file": "Include/pyexpat.h"
},
"source": "https://github.com/python/cpython/commit/24b8f12544468e4cedf5bfbe25442fcd495391e4"
},
{
"signature_type": "Function",
"id": "PSF-2026-23-6f360086",
"deprecated": false,
"digest": {
"length": 1341.0,
"function_hash": "282746458073661659926039957721266319977"
},
"signature_version": "v1",
"target": {
"function": "newxmlparseobject",
"file": "Modules/pyexpat.c"
},
"source": "https://github.com/python/cpython/commit/3573b3b1ecbd99030a0b18658e1bfece771b2566"
},
{
"signature_type": "Function",
"id": "PSF-2026-23-742ecc50",
"deprecated": false,
"digest": {
"length": 2990.0,
"function_hash": "100837677078581469210422368217459004578"
},
"signature_version": "v1",
"target": {
"function": "_elementtree_XMLParser___init___impl",
"file": "Modules/_elementtree.c"
},
"source": "https://github.com/python/cpython/commit/fc9b11ff49cbc82e6f917d07a61517a2b5f3145f"
},
{
"signature_type": "Line",
"id": "PSF-2026-23-7545dd1a",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"331466583639241250362361799100269972853",
"268201616245445465644069845275318051766",
"162056430873582821825539244461100327069",
"205189259492710410910413780725664212883"
]
},
"signature_version": "v1",
"target": {
"file": "Modules/_elementtree.c"
},
"source": "https://github.com/python/cpython/commit/eeea765cb9d8f1fc3d8918b272ac3c477983f27a"
},
{
"signature_type": "Line",
"id": "PSF-2026-23-7594aa45",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"331466583639241250362361799100269972853",
"268201616245445465644069845275318051766",
"162056430873582821825539244461100327069",
"205189259492710410910413780725664212883"
]
},
"signature_version": "v1",
"target": {
"file": "Modules/_elementtree.c"
},
"source": "https://github.com/python/cpython/commit/24b8f12544468e4cedf5bfbe25442fcd495391e4"
},
{
"signature_type": "Function",
"id": "PSF-2026-23-7afd403d",
"deprecated": false,
"digest": {
"length": 1341.0,
"function_hash": "282746458073661659926039957721266319977"
},
"signature_version": "v1",
"target": {
"function": "newxmlparseobject",
"file": "Modules/pyexpat.c"
},
"source": "https://github.com/python/cpython/commit/24b8f12544468e4cedf5bfbe25442fcd495391e4"
},
{
"signature_type": "Line",
"id": "PSF-2026-23-96e32c16",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"200809790425200767353365779645814661145",
"338571468881071273146244236238519698763",
"158710132041207750309477001233984228072",
"52491913065894657274224157621680217981",
"231686096489310269328649624848028668734",
"9764412166215748283159686165100133222",
"143444819121599425158698232384205236527"
]
},
"signature_version": "v1",
"target": {
"file": "Include/internal/pycore_pyhash.h"
},
"source": "https://github.com/python/cpython/commit/eeea765cb9d8f1fc3d8918b272ac3c477983f27a"
},
{
"signature_type": "Function",
"id": "PSF-2026-23-a310f3cc",
"deprecated": false,
"digest": {
"length": 1341.0,
"function_hash": "282746458073661659926039957721266319977"
},
"signature_version": "v1",
"target": {
"function": "newxmlparseobject",
"file": "Modules/pyexpat.c"
},
"source": "https://github.com/python/cpython/commit/eeea765cb9d8f1fc3d8918b272ac3c477983f27a"
},
{
"signature_type": "Line",
"id": "PSF-2026-23-b03a43ed",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"139223617181001955104759715207834526056",
"228426983551421850305035845652555746849",
"157063243252423991660603289123046198519",
"126873213760035561109826808365762501927",
"156149891684222126871834519137026026373",
"285177093540853341381039225061555051327",
"123367630945934901850591089140463774569",
"203907525583600214249590754539200999315"
]
},
"signature_version": "v1",
"target": {
"file": "Modules/pyexpat.c"
},
"source": "https://github.com/python/cpython/commit/eeea765cb9d8f1fc3d8918b272ac3c477983f27a"
},
{
"signature_type": "Line",
"id": "PSF-2026-23-b1b9434c",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"331466583639241250362361799100269972853",
"268201616245445465644069845275318051766",
"162056430873582821825539244461100327069",
"205189259492710410910413780725664212883"
]
},
"signature_version": "v1",
"target": {
"file": "Modules/_elementtree.c"
},
"source": "https://github.com/python/cpython/commit/fc9b11ff49cbc82e6f917d07a61517a2b5f3145f"
},
{
"signature_type": "Line",
"id": "PSF-2026-23-b72642ca",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"139223617181001955104759715207834526056",
"228426983551421850305035845652555746849",
"157063243252423991660603289123046198519",
"126873213760035561109826808365762501927",
"156149891684222126871834519137026026373",
"285177093540853341381039225061555051327",
"123367630945934901850591089140463774569",
"203907525583600214249590754539200999315"
]
},
"signature_version": "v1",
"target": {
"file": "Modules/pyexpat.c"
},
"source": "https://github.com/python/cpython/commit/3573b3b1ecbd99030a0b18658e1bfece771b2566"
},
{
"signature_type": "Line",
"id": "PSF-2026-23-e48a3ebd",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"139223617181001955104759715207834526056",
"228426983551421850305035845652555746849",
"157063243252423991660603289123046198519",
"126873213760035561109826808365762501927",
"156149891684222126871834519137026026373",
"285177093540853341381039225061555051327",
"123367630945934901850591089140463774569",
"203907525583600214249590754539200999315"
]
},
"signature_version": "v1",
"target": {
"file": "Modules/pyexpat.c"
},
"source": "https://github.com/python/cpython/commit/fc9b11ff49cbc82e6f917d07a61517a2b5f3145f"
},
{
"signature_type": "Line",
"id": "PSF-2026-23-e9ebe48a",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"200809790425200767353365779645814661145",
"338571468881071273146244236238519698763",
"158710132041207750309477001233984228072",
"52491913065894657274224157621680217981",
"231686096489310269328649624848028668734",
"9764412166215748283159686165100133222",
"143444819121599425158698232384205236527"
]
},
"signature_version": "v1",
"target": {
"file": "Include/internal/pycore_pyhash.h"
},
"source": "https://github.com/python/cpython/commit/24b8f12544468e4cedf5bfbe25442fcd495391e4"
},
{
"signature_type": "Function",
"id": "PSF-2026-23-ea80eeb2",
"deprecated": false,
"digest": {
"length": 1341.0,
"function_hash": "282746458073661659926039957721266319977"
},
"signature_version": "v1",
"target": {
"function": "newxmlparseobject",
"file": "Modules/pyexpat.c"
},
"source": "https://github.com/python/cpython/commit/fc9b11ff49cbc82e6f917d07a61517a2b5f3145f"
},
{
"signature_type": "Line",
"id": "PSF-2026-23-f133fdd1",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"282054346468100250562588928679692945206",
"241745087690371911974619499003941746146"
]
},
"signature_version": "v1",
"target": {
"file": "Include/pyexpat.h"
},
"source": "https://github.com/python/cpython/commit/fc9b11ff49cbc82e6f917d07a61517a2b5f3145f"
}
]
source
"https://github.com/psf/advisory-database/blob/main/advisories/python/PSF-2026-23.json"
vanir_signatures_modified
"2026-06-11T02:04:37Z"