Denial of Service Vulnerability in Soup Sieve Library by Faceless User
CVE-2026-49476
7.5HIGH
What is CVE-2026-49476?
The Soup Sieve library, utilized with Beautiful Soup 4, contains a vulnerability where the CSS selector parser can allocate unlimited memory due to the lack of bounds on memory allocation when compiling large selector lists. An attacker can exploit this by supplying a specifically crafted selector string to the functions soupsieve.compile() or Beautiful Soup's .select() / .select_one(). This can lead to significant memory consumption, potentially resulting in a denial of service. The issue has been addressed in version 2.8.4.
Affected Version(s)
soupsieve < 2.8.4
