CVE-2026-15308
Received Received - Intake

Denial-of-Service in Python html.parser via Unterminated Markup

Vulnerability report for CVE-2026-15308, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: Python Software Foundation

Description

The incremental HTML parser (html.parser.HTMLParser) allows for CPU denial-of-service through repeated unterminated markup declarations when processing uncontrolled data.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 5 associated CPEs
Vendor Product Version / Range
python htmlparser From 3.10 (inc) to 3.15 (inc)
python cpython From 3.10 (inc) to 3.16 (inc)
python python From 3.10 (inc) to 3.16 (inc)
python python From 3.10 (inc) to 3.15 (inc)
python html_parser *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not include any details about the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-15308 is a security vulnerability in Python's incremental HTML parser (html.parser.HTMLParser) that causes a denial-of-service condition by exploiting a worst-case quadratic time complexity during parsing.

The issue arises when the parser processes uncontrolled data containing repeated unterminated markup declarations, such as tags or comments that span multiple feed() calls. This causes the parser to repeatedly rescan and concatenate growing buffers inefficiently, leading to excessive CPU usage.

The vulnerability was fixed by changing the parser to accumulate new data in a list and only join and parse it once enough data is collected, reducing the complexity from quadratic to linear time.

Impact Analysis

This vulnerability can lead to a denial-of-service (DoS) attack by exhausting CPU resources when processing maliciously crafted HTML data with repeated unterminated markup declarations.

An attacker could exploit this flaw to degrade the performance of applications using Python's HTMLParser, potentially causing them to become unresponsive or crash due to high CPU consumption.

Because the vulnerability allows for CPU exhaustion without requiring any privileges or user interaction, it poses a high severity risk to affected systems.

Detection Guidance

This vulnerability manifests as a CPU denial-of-service caused by the incremental HTML parser (html.parser.HTMLParser) when processing repeated unterminated markup declarations in uncontrolled data.

Detection involves monitoring for unusually high CPU usage or performance degradation in Python applications that use the html.parser.HTMLParser module, especially when parsing HTML data incrementally.

There are no specific commands provided in the resources to detect this vulnerability directly.

Mitigation Strategies

The primary mitigation is to apply the patches that fix the vulnerability in the Python html.parser.HTMLParser module.

These patches optimize the incremental parsing process to avoid quadratic time complexity by changing how data is accumulated and parsed.

Specifically, update Python to a version that includes the fix, which has been backported to versions 3.10 through 3.15 and also applied to later versions up to 3.16.

Until patched, avoid processing uncontrolled or untrusted HTML data incrementally with html.parser.HTMLParser to reduce the risk of CPU exhaustion.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15308. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart