-------- Forwarded Message --------
Subject: [Security-announce][CVE-2026-7210] The expat and elementtree
parsers use insufficient entropy for XML hash-flooding protection
Date: Mon, 11 May 2026 17:58:49 +0100
From: Stan Ulbrych via Security-announce <[email protected]>
Reply-To: [email protected]
To: [email protected]
CC: Stan Ulbrych <[email protected]>
There is a MEDIUM severity vulnerability affecting CPython.
`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for
Expat hash-flooding protection, which allows a crafted XML document to trigger
hash flooding.
Fully mitigating this vulnerability requires both updating libexpat to 2.8.0 or
later and applying this patch.
Please see the linked CVE ID for the latest information on affected versions:
* https://www.cve.org/CVERecord?id=CVE-2026-7210
* https://github.com/python/cpython/pull/149023
Best regards,
Stan Ulbrych.
_______________________________________________
Security-announce mailing list -- [email protected]
To unsubscribe send an email to [email protected]
https://mail.python.org/mailman3//lists/security-announce.python.org
