Denial of Service Vulnerability in Soup Sieve Library by Faceless User
CVE-2026-49476

7.5HIGH

Key Information:

Status
Vendor
CVE Published:
14 July 2026

What is CVE-2026-49476?

The Soup Sieve library, utilized with Beautiful Soup 4, contains a vulnerability where the CSS selector parser can allocate unlimited memory due to the lack of bounds on memory allocation when compiling large selector lists. An attacker can exploit this by supplying a specifically crafted selector string to the functions soupsieve.compile() or Beautiful Soup's .select() / .select_one(). This can lead to significant memory consumption, potentially resulting in a denial of service. The issue has been addressed in version 2.8.4.

Affected Version(s)

soupsieve < 2.8.4

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.