Home

Description

The incremental HTML parser (html.parser.HTMLParser) allows for CPU denial-of-service through repeated unterminated markup declarations when processing uncontrolled data.

PUBLISHED Reserved 2026-07-09 | Published 2026-07-09 | Updated 2026-07-09 | Assigner PSF




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-400

Product status

Default status
unaffected

Any version before 3.15.0
affected

Credits

Edward-x (https://github.com/YLChen-007) reporter

Serhiy Storchaka (https://github.com/serhiy-storchaka) remediation developer

Gregory P. Smith (https://github.com/gpshead) remediation reviewer

Seth Larson (https://github.com/sethmlarson) coordinator

References

www.openwall.com/lists/oss-security/2026/07/09/4

mail.python.org/.../thread/F6453LWKSHKCTWFLCOURWPLETNUIW2Z5/ vendor-advisory

github.com/python/cpython/pull/153031 patch

github.com/python/cpython/issues/153030 issue-tracking

github.com/...ommit/07efb08123ba9367a7107325adb9d5626dca1ca9 patch

github.com/...ommit/7933f4bf7131aa4140750f9404f5de0aa2969ced patch

github.com/...ommit/bcf98ddbc40ec9b3ee87da0124a5660b19b7e606 patch

github.com/...ommit/e9f92ac0b298292e7ff998e52cb8ccacfb27a0bd patch

cve.org (CVE-2026-15308)

nvd.nist.gov (CVE-2026-15308)

Download JSON