CVE-2026-4539

EUVD-2026-14287
A security flaw has been discovered in pygments up to 2.19.2. The impacted element is the function AdlLexer of the file pygments/lexers/archetype.py. The manipulation results in inefficient regular expression complexity. The attack is only possible with local access. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
3.3 LOW
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Debian logo
Debian Releases
Debian Product
Codename
pygments
bookworm
no-dsa
bullseye
postponed
forky
vulnerable
sid
vulnerable
trixie
no-dsa
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
pygments
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
noble
needs-triage
questing
needs-triage
resolute
needs-triage
trusty
needs-triage
xenial
needs-triage
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
python3-Pygments
suse enterprise server 15 SP4
2.6.1-150300.4.6.1
fixed
python311-Pygments
suse enterprise server 15 SP4
2.15.1-150400.7.10.1
fixed
Common Weakness Enumeration
References
https://github.com/pygments/pygments/
https://github.com/pygments/pygments/issues/3058
https://vuldb.com/?ctiid.352327
https://vuldb.com/?id.352327
https://vuldb.com/?submit.774685