CVE-2026-7210— The expat and elementtree parsers use insufficient entropy for XML hash-flooding protection
Possible ATT&CK Techniques 1AI
T1190 · Exploit Public-Facing ApplicationAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Python Software Foundation | CPython | < 3.15.0 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-7210
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
The expat and elementtree parsers use insufficient entropy for XML hash-flooding protection
Source: NVD (National Vulnerability Database)
Vulnerability Description
`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\r\n\r\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
信息熵不充分
Source: NVD (National Vulnerability Database)
Vulnerability Title
CPython 安全特征问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
CPython是Python基金会的一个用C语言实现的Python解释器。 CPython存在安全特征问题漏洞,该漏洞源于Expat哈希洪水保护使用不足的熵,可能导致特制XML文档触发哈希洪水。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Python Software Foundation | CPython | 0 ~ 3.15.0 | - |
II. Public POCs for CVE-2026-7210
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-7210
请登录查看更多情报信息。
- https://github.com/python/cpython/issues/149018issue-tracking
- https://nvd.nist.gov/vuln/detail/CVE-2026-7210
IV. Related Vulnerabilities
Same product: CPython
- CVE-2026-8328
FTP PASV SSRF, ftpcp() does not use actual peer address, tru - CVE-2026-3087
shutil.unpack_archive() doesn't check for Windows absolute p - CVE-2026-6019
BaseCookie.js_output() does not neutralize embedded characte - CVE-2026-3298
Out-of-bounds write in Windows asyncio.ProacterEventLoop.soc - CVE-2026-5713
Out-of-bounds read/write during remote profiling and asyncio
Same vendor: Python Software Foundation
- CVE-2026-8328
FTP PASV SSRF, ftpcp() does not use actual peer address, tru - CVE-2026-3087
shutil.unpack_archive() doesn't check for Windows absolute p - CVE-2026-6019
BaseCookie.js_output() does not neutralize embedded characte - CVE-2026-3298
Out-of-bounds write in Windows asyncio.ProacterEventLoop.soc - CVE-2026-5713
Out-of-bounds read/write during remote profiling and asyncio
Same weakness: CWE-331
- CVE-2026-8700
Crypt::DSA versions before 1.20 for Perl generate seeds usin - CVE-2026-46474
Trog::TOTP versions before 1.006 for Perl generate secrets u - CVE-2025-14972
Insufficient DPA countermeasure reseeding - CVE-2026-4827
Insufficient Entropy vulnerability on Multiple Products - CVE-2026-2336
Weak webstax_auth Cookie Authentication Allows Privilege Esc
V. Comments for CVE-2026-7210
No comments yet