PSF-2026-23

See a problem?

Import Source

https://github.com/psf/advisory-database/blob/main/advisories/python/PSF-2026-23.json

JSON Data

https://api.osv.dev/v1/vulns/PSF-2026-23

Aliases

BIT-libpython-2026-7210
BIT-python-2026-7210
BIT-python-min-2026-7210
CVE-2026-7210

Published

2026-05-11T17:19:09.784Z

Modified

2026-05-15T12:56:22.795905391Z

Summary

[none]

Details

xml.parsers.expat and xml.etree.ElementTree use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\r\n\r\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch.

Database specific

{
    "cwe_ids": []
}

References

https://mail.python.org/archives/list/security-announce@python.org/thread/PNY5OMBDPM2FRUZTWFFPJ6LISWKV627K/
https://github.com/python/cpython/pull/149023
https://github.com/python/cpython/issues/149018

Affected packages

Git / github.com/python/cpython

Affected ranges

Type: GIT
Repo: https://github.com/python/cpython
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Database specific

source

"https://github.com/psf/advisory-database/blob/main/advisories/python/PSF-2026-23.json"