Denial-of-Service Vulnerability in Python's HTML Parser
CVE-2026-15308

10CRITICAL

What is CVE-2026-15308?

The incremental HTML parser, part of Python's standard library, is vulnerable to denial-of-service attacks. Attackers may exploit this vulnerability by submitting malformed or unterminated markup declarations, leading to excessive CPU usage and potential stability issues for affected applications. Proper input validation and handling of markup can mitigate the impact. Users are advised to review the provided advisory and patches for protection against this vulnerability.

Affected Version(s)

CPython 0 < 3.15.0

References

CVSS V4

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Edward-x (https://github.com/YLChen-007)
Serhiy Storchaka (https://github.com/serhiy-storchaka)
Gregory P. Smith (https://github.com/gpshead)
Seth Larson (https://github.com/sethmlarson)
.