CVE-2026-15308
PUBLISHED
Published: 09 Jul 2026, 17:10
Last modified:09 Jul 2026, 17:31
Vulnerability Summary
Overall Risk (default)
high
70/100 CVSS Score
10 CRITICAL
v4.0 (cve.org)
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
09 Jul 2026, 17:10
Published
Vulnerability first disclosed
09 Jul 2026, 17:31
Last Modified
Vulnerability information updated
Description
The incremental HTML parser (html.parser.HTMLParser) allows for CPU denial-of-service through repeated unterminated markup declarations when processing uncontrolled data.
CVSS Metrics
- v4.0•CRITICAL•Score: 10CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Techniques & Countermeasures
- CWE-400•Uncontrolled Resource Consumption
The product does not properly control the allocation and maintenance of a limited resource.
Affected Systems
- python software foundation•cpython
< 3.15.0
References (7)
- https://mail.python.org/archives/list/security-announce@python.org/thread/F6453LWKSHKCTWFLCOURWPLETNUIW2Z5/
- https://github.com/python/cpython/pull/153031
- https://github.com/python/cpython/issues/153030
- https://github.com/python/cpython/commit/07efb08123ba9367a7107325adb9d5626dca1ca9
- https://github.com/python/cpython/commit/7933f4bf7131aa4140750f9404f5de0aa2969ced
- https://github.com/python/cpython/commit/bcf98ddbc40ec9b3ee87da0124a5660b19b7e606
- https://github.com/python/cpython/commit/e9f92ac0b298292e7ff998e52cb8ccacfb27a0bd