Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
2628 articles · 174587 vulns · 37/41 feeds (7d)
← Back to list
—
CVE-2026-15308EXPLOITEDPATCHED
python · python

Incremental HTMLParser feed() allows CPU-exhaustion DoS via repeated unterminated markup declarations

Description

The incremental HTML parser (html.parser.HTMLParser) allows for CPU denial-of-service through repeated unterminated markup declarations when processing uncontrolled data.

Affected Products

VendorProductVersions
pythonpython0

Also Affects

Downstream vendors/products affected by this vulnerability

VendorProductSourceConfidence
open sourcepythoncert_advisory90%

References

  • https://mail.python.org/archives/list/security-announce@python.org/thread/F6453LWKSHKCTWFLCOURWPLETNUIW2Z5/(vendor-advisory)
  • https://github.com/python/cpython/pull/153031(patch)
  • https://github.com/python/cpython/issues/153030(issue-tracking)
  • https://github.com/python/cpython/commit/07efb08123ba9367a7107325adb9d5626dca1ca9(patch)
  • https://github.com/python/cpython/commit/7933f4bf7131aa4140750f9404f5de0aa2969ced(patch)
  • https://github.com/python/cpython/commit/bcf98ddbc40ec9b3ee87da0124a5660b19b7e606(patch)
  • https://github.com/python/cpython/commit/e9f92ac0b298292e7ff998e52cb8ccacfb27a0bd(patch)

Related News (5 articles)

Tier A
Microsoft MSRC13h ago
CVE-2026-15308 Incremental HTMLParser feed() allows CPU-exhaustion DoS via repeated unterminated markup declarations
→ No new info (linked only)
Tier B
BSI Advisories2d ago
[NEU] [hoch] CPython: Schwachstelle ermöglicht Denial of Service
→ No new info (linked only)
Tier B
CERT-FR2d ago
Vulnérabilité dans CPython (10 juillet 2026)
→ No new info (linked only)
Tier C
VulDB3d ago
CVE-2026-15308 | Python up to 3.14.x Incremental HTML Parser HTMLParser denial of service
→ No new info (linked only)
Tier C
oss-security3d ago
[oss-security][CVE-2026-15308] Incremental HTMLParser allows CPU-exhaustion DoS via repeated unterminated markup declarations
→ No new info (linked only)
CISA KEV❌ No
Actively exploited✅ Yes
Patch available
3.16.0
CWECWE-400
PublishedJul 9, 2026
Last enriched3d agov3
Trending Score68
Source articles5
Independent5
Info Completeness9/14
Missing: cvss, epss, kev, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

MEDIUMCVE-2026-55380EXP
Pillow GdImageFile decompression bomb protection bypass
Trending: 25
MEDIUMCVE-2026-55798EXP
Pillow: WindowsViewer.get_command() OS command injection via unescaped shell path
Trending: 21
HIGHCVE-2026-54006
Open WebUI: Calendar event re-parenting allows writing events into another user's calendar
Trending: 4
HIGHCVE-2026-54010
Open WebUI: Forged chat-file link allows cross-user file read and deletion
Trending: 4
HIGHCVE-2026-54013
Open WebUI: Stored XSS to Account Takeover via Model Profile Images in Open WebUI
Trending: 4

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
Jul 9, 2026
Discovered by ZDM
Jul 9, 2026
Updated: affectedVersions, severity, exploitAvailable, activelyExploited
Jul 9, 2026
Updated: affectedVersions, severity
Jul 9, 2026
Actively Exploited
Jul 9, 2026
Exploit Available
Jul 9, 2026
Patch Available
Jul 9, 2026

Version History

v3
Last enriched 3d ago
v3Tier C3d ago

Updated affected versions to include 3.14.x, changed severity to MEDIUM, and noted no exploit available.

affectedVersionsseverity
via VulDB
v2Tier C3d ago

Updated affected versions to include all versions before Python 3.15.0, changed severity to HIGH, and marked exploit as available and actively exploited.

affectedVersionsseverityexploitAvailableactivelyExploited
via oss-security
v13d ago

Initial creation