CVE-2026-15308

Python · CPython

The CPython incremental HTML parser is vulnerable to a denial-of-service condition via resource exhaustion, triggered by processing specially crafted HTML content.

Executive summary

A critical resource exhaustion vulnerability in the CPython HTML parser could allow an unauthenticated attacker to cause significant service disruption.

Vulnerability

This vulnerability involves a denial-of-service (CWE-400) flaw in the incremental HTML parser. An unauthenticated attacker can exploit this by providing malicious input that forces the parser to consume excessive resources, leading to application instability or crashes.

Business impact

Successful exploitation of this vulnerability results in a denial-of-service, which can lead to extended periods of system downtime for applications relying on the affected CPython parser. Given the CVSS score of 8.7, this is considered a high-severity issue that could severely impact business continuity if the affected services are customer-facing or mission-critical.

Remediation

Immediate Action: Upgrade all instances of CPython to version 3.15.0 or later immediately to incorporate the necessary security patches.

Proactive Monitoring: Monitor server CPU and memory utilization patterns for spikes associated with HTML parsing tasks, which may indicate attempted exploitation.

Compensating Controls: Implement strict input validation and rate limiting on any interfaces that process user-supplied HTML content to reduce the attack surface.

Exploitation status

Public Exploit Available: false

Analyst recommendation

The severity of this flaw necessitates immediate attention, particularly in environments that handle untrusted HTML input. Organizations must prioritize upgrading to the patched version of CPython to mitigate the risk of service disruption.