CVE-2026-15308 PUBLISHED

Incremental HTMLParser feed() allows CPU-exhaustion DoS via repeated unterminated markup declarations

Assigner: PSF
Reserved: 09.07.2026 Published: 09.07.2026 Updated: 09.07.2026

The incremental HTML parser (html.parser.HTMLParser) allows for CPU denial-of-service through repeated unterminated markup declarations when processing uncontrolled data.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CVSS Score: 8.7

Product Status

Vendor Python Software Foundation
Product CPython
Versions Default: unaffected
  • affected from 0 to 3.15.0 (excl.)

Credits

  • Edward-x (https://github.com/YLChen-007) reporter
  • Serhiy Storchaka (https://github.com/serhiy-storchaka) remediation developer
  • Gregory P. Smith (https://github.com/gpshead) remediation reviewer
  • Seth Larson (https://github.com/sethmlarson) coordinator

References

Problem Types

  • CWE-400 CWE