{"id":"PSF-2026-23","details":"`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\\r\\n\\r\\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch.","aliases":["BIT-libpython-2026-7210","BIT-python-2026-7210","BIT-python-min-2026-7210","CVE-2026-7210"],"modified":"2026-05-15T12:56:22.795905391Z","published":"2026-05-11T17:19:09.784Z","database_specific":{"cwe_ids":[]},"references":[{"type":"ADVISORY","url":"https://mail.python.org/archives/list/security-announce@python.org/thread/PNY5OMBDPM2FRUZTWFFPJ6LISWKV627K/"},{"type":"WEB","url":"https://github.com/python/cpython/pull/149023"},{"type":"REPORT","url":"https://github.com/python/cpython/issues/149018"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/python/cpython","events":[{"introduced":"0"}]}],"database_specific":{"source":"https://github.com/psf/advisory-database/blob/main/advisories/python/PSF-2026-23.json"}}],"schema_version":"1.7.5"}