Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.3
CVE-2026-7210: XML Parsing Software May Crash from Malicious Data
CVE-2026-7210
BIT-libpython-2026-7210
BIT-python-2026-7210
PSF-2026-23
Summary
Some XML parsing software can be crashed by a specially designed XML file. This can happen if the software is not up to date, specifically if it's using an old version of the Expat library. To fix this, you should update the Expat library to the latest version and apply a patch if necessary.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| Bitnami | – | python | All versions |
| Bitnami | – | python-min | All versions |
| Bitnami | – | libpython | All versions |
| – | libexpat_project | libexpat |
< 2.8.0 cpe:2.3:a:libexpat_project:libexpat:*:*:*:*:*:*:*:* |
Original title
`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\r\n\r\nFully mitigating th...
Original description
`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\r\n\r\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch.
nvd CVSS4.0
6.3
Vulnerability type
CWE-331
- http://www.openwall.com/lists/oss-security/2026/05/11/13 URL
- http://www.openwall.com/lists/oss-security/2026/05/11/8 URL
- https://nvd.nist.gov/vuln/detail/CVE-2026-7210 URL
- https://github.com/python/cpython/issues/149018
- https://github.com/python/cpython/pull/149023
- https://mail.python.org/archives/list/[email protected]/thread/PNY5OM...
Published: 11 May 2026 · Updated: 28 May 2026 · First seen: 11 May 2026