CVE-2026-15308
Python · CPython
The CPython incremental HTML parser is vulnerable to a denial-of-service condition via resource exhaustion, triggered by processing specially crafted HTML content.
Executive summary
A critical resource exhaustion vulnerability in the CPython HTML parser could allow an unauthenticated attacker to cause significant service disruption.
Vulnerability
This vulnerability involves a denial-of-service (CWE-400) flaw in the incremental HTML parser. An unauthenticated attacker can exploit this by providing malicious input that forces the parser to consume excessive resources, leading to application instability or crashes.
Business impact
Successful exploitation of this vulnerability results in a denial-of-service, which can lead to extended periods of system downtime for applications relying on the affected CPython parser. Given the CVSS score of 8.7, this is considered a high-severity issue that could severely impact business continuity if the affected services are customer-facing or mission-critical.
Remediation
Immediate Action: Upgrade all instances of CPython to version 3.15.0 or later immediately to incorporate the necessary security patches.
Proactive Monitoring: Monitor server CPU and memory utilization patterns for spikes associated with HTML parsing tasks, which may indicate attempted exploitation.
Compensating Controls: Implement strict input validation and rate limiting on any interfaces that process user-supplied HTML content to reduce the attack surface.
Exploitation status
Public Exploit Available: false
Analyst recommendation
The severity of this flaw necessitates immediate attention, particularly in environments that handle untrusted HTML input. Organizations must prioritize upgrading to the patched version of CPython to mitigate the risk of service disruption.