CVE-2026-7210

EUVD-2026-29178
`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\r\n\r\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
PSFCNA
6.3 MEDIUM
NETWORK
HIGH
NONE
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 13%
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
pythoncpython
𝑥
< 3.15.0
CNA
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://github.com/python/cpython/issues/149018
https://github.com/python/cpython/pull/149023
https://mail.python.org/archives/list/security-announce@python.org/thread/PNY5OMBDPM2FRUZTWFFPJ6LISWKV627K/
http://www.openwall.com/lists/oss-security/2026/05/11/13
http://www.openwall.com/lists/oss-security/2026/05/11/8