PYSEC-2026-1270

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/configobj/PYSEC-2026-1270.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1270
Aliases
Published
2026-07-07T11:45:17.786428Z
Modified
2026-07-07T17:47:12.898028785Z
Severity
  • 3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
configobj ReDoS exploitable by developer using values in a server-side configuration file
Details

All versions of the package configobj are vulnerable to Regular Expression Denial of Service (ReDoS) via the validate function, using (.+?)((.*)). Note: This is only exploitable in the case of a developer, putting the offending value in a server side configuration file.

References

Affected packages

PyPI / configobj

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.0.9

Affected versions

4.*
4.4.0
4.5.0
4.5.1
4.5.2
4.5.3
4.6.0
4.7.0
4.7.1
4.7.2
5.*
5.0.0
5.0.1
5.0.2
5.0.3
5.0.4
5.0.5
5.0.6
5.0.7
5.0.8

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/configobj/PYSEC-2026-1270.yaml"