CPython XML Expat Hash Flooding (3.14)
CVE-2026-7210 Published on May 11, 2026

The expat and elementtree parsers use insufficient entropy for XML hash-flooding protection
`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\r\n\r\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch.

Vendor Advisory NVD

Weakness Type

Insufficient Entropy

The software uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.

Products Associated with CVE-2026-7210

Want to know whenever a new CVE is published for Python? stack.watch will email you.

Python

Affected Versions

Python Software Foundation CPython:

Before 3.15.0 is affected.

CPython XML Expat Hash Flooding (3.14)CVE-2026-7210 Published on May 11, 2026

Weakness Type

Insufficient Entropy

Products Associated with CVE-2026-7210

Affected Versions

CPython XML Expat Hash Flooding (3.14)
CVE-2026-7210 Published on May 11, 2026