CVE-2026-41080EXPLOITEDPATCHED

libexpat_project · libexpat

CVE-2026-41080: libexpat before 2.8.0 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document.

Description

libexpat before 2.8.0 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document.

Affected Products

Vendor	Product	Versions
libexpat_project	libexpat	0

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
open source	expat	cert_advisory	90%

References

Related News (4 articles)

Tier C

oss-security62d ago

libexpat 2.8.0 fixes CVE-2026-41080 (insufficient entropy)

→ No new info (linked only)

Tier A

Microsoft MSRC64d ago

CVE-2026-41080

→ No new info (linked only)

Tier B

BSI Advisories72d ago

[NEU] [niedrig] expat: Schwachstelle ermöglicht Denial of Service

→ No new info (linked only)

Tier C

VulDB72d ago

CVE-2026-41080 | libexpat up to 2.7.5 XML Document entropy (ID 47 / EUVD-2026-23276)

CVSS 3.12.9 LOW

VectorCVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

2.7.6

CWECWE-331

PublishedApr 16, 2026

Last enriched72d agov3

Trending Score0

Source articles4

Independent4

Info Completeness10/14

Missing: epss, kev, iocs, mitre_attack

Community Vote

Version History

Last enriched 72d ago

v3Tier B72d ago

Updated severity to LOW and marked the vulnerability as exploit available and actively exploited.

severityexploitAvailableactivelyExploited

via BSI Advisories

v2Tier C72d ago

Updated affected versions to include 2.7.5, changed severity to MEDIUM, and noted that no exploit is available.

affectedVersionsseverity

via VulDB

v172d ago

Initial creation

CVE-2026-41080: libexpat before 2.8.0 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document.

Description

Affected Products

Also Affects

References

Related News (4 articles)

Community Vote

Related CVEs (3)

Pin to Dashboard

Verification

Vulnerability Timeline

Version History