CVE-2026-7210

UNKNOWN 0.0

The expat and elementtree parsers use insufficient entropy for XML hash-flooding protection

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\r\n\r\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch.

CWE	CWE-331
Vendor	python software foundation
Product	cpython
Published	May 11, 2026
Last Updated	May 11, 2026

Stay Ahead of the Next One

Get instant alerts for python software foundation cpython

Be the first to know when new unknown vulnerabilities affecting python software foundation cpython are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Python Software Foundation / CPython

0 < 3.15.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

mail.python.org: https://mail.python.org/archives/list/[email protected]/thread/PNY5OMBDPM2FRUZTWFFPJ6LISWKV627K/ github.com: https://github.com/python/cpython/pull/149023 github.com: https://github.com/python/cpython/issues/149018 openwall.com: http://www.openwall.com/lists/oss-security/2026/05/11/8 openwall.com: http://www.openwall.com/lists/oss-security/2026/05/11/13

Credits

Stan Ulbrych (https://github.com/StanFromIreland) Gregory P. Smith (https://github.com/gpshead)