Insufficient Entropy Vulnerability in Python Expat XML Parser
CVE-2026-7210

6.3MEDIUM

Key Information:

Vendor

Python Software Foundation

Status
Cpython
Vendor
CVE Published:
11 May 2026

What is CVE-2026-7210?

The insufficient entropy vulnerability in xml.parsers.expat and xml.etree.ElementTree allows attackers to exploit Expat hash-flooding protections. By sending a specially crafted XML document, an attacker can trigger hash flooding, potentially causing denial of service. To safeguard systems, users must update to libexpat version 2.8.0 or later and apply the relevant patch.

Affected Version(s)

CPython 0 < 3.15.0

References

https://mail.python.org/archives/list/security-announce@p...
vendor-advisory
https://github.com/python/cpython/pull/149023
patch
https://github.com/python/cpython/issues/149018
issue-tracking

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Stan Ulbrych (https://github.com/StanFromIreland)
Gregory P. Smith (https://github.com/gpshead)
.