Denial-of-Service Vulnerability in Python's HTML Parser
CVE-2026-15308
10CRITICAL
What is CVE-2026-15308?
The incremental HTML parser, part of Python's standard library, is vulnerable to denial-of-service attacks. Attackers may exploit this vulnerability by submitting malformed or unterminated markup declarations, leading to excessive CPU usage and potential stability issues for affected applications. Proper input validation and handling of markup can mitigate the impact. Users are advised to review the provided advisory and patches for protection against this vulnerability.
Affected Version(s)
CPython 0 < 3.15.0
References
CVSS V4
Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Edward-x (https://github.com/YLChen-007)
Serhiy Storchaka (https://github.com/serhiy-storchaka)
Gregory P. Smith (https://github.com/gpshead)
Seth Larson (https://github.com/sethmlarson)
