Pygments

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in Pygments.

By the Year

In 2026 there have been 1 vulnerability in Pygments with an average score of 3.3 out of ten. Pygments did not have any published security vulnerabilities last year. That is, 1 more vulnerability have already been reported in 2026 as compared to last year.

Year	Vulnerabilities	Average Score
2026	1	3.30
2025	0	0.00
2024	0	0.00
2023	1	5.50
2022	0	0.00
2021	2	7.50

It may take a day or so for new Pygments vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Pygments Security Vulnerabilities

Pygments AdlLexer Regex Complexity Flaw (2.19.2)
CVE-2026-4539 3.3 - Low - March 22, 2026

A security flaw has been discovered in pygments up to 2.19.2. The impacted element is the function AdlLexer of the file pygments/lexers/archetype.py. The manipulation results in inefficient regular expression complexity. The attack is only possible with local access. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

ReDoS

ReDoS in Pygments SmithyLexer before 2.15.01
CVE-2022-40896 5.5 - Medium - July 19, 2023

A ReDoS issue was discovered in pygments/lexers/smithy.py in pygments through 2.15.0 via SmithyLexer.

Unrestricted File Upload

An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input
CVE-2021-20270 - March 23, 2021

An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword.

Infinite Loop

In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions
CVE-2021-27291 7.5 - High - March 17, 2021

In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service.

ReDoS

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Pygments or by Pygments? Click the Watch button to subscribe.

Pygments
Vendor

Pygments
Product

Pygments

Don't miss out!

By the Year

Recent Pygments Security Vulnerabilities

Pygments AdlLexer Regex Complexity Flaw (2.19.2) CVE-2026-4539 3.3 - Low - March 22, 2026

ReDoS in Pygments SmithyLexer before 2.15.01 CVE-2022-40896 5.5 - Medium - July 19, 2023

An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input CVE-2021-20270 - March 23, 2021

In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions CVE-2021-27291 7.5 - High - March 17, 2021