What is GHSA-wxv8-w48j-r2f4?

GHSA-wxv8-w48j-r2f4 is a security advisory published by GitHub Security Advisories with Medium severity. `xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding...

Which CVE IDs does GHSA-wxv8-w48j-r2f4 cover?

GHSA-wxv8-w48j-r2f4 covers the following CVE IDs: CVE-2026-7210. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-wxv8-w48j-r2f4?

GHSA-wxv8-w48j-r2f4 has a CVSS v3 base score of 9.8, published by GitHub Security Advisories.

GHSA-wxv8-w48j-r2f4MediumCVSS 9.8

`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding...

Vendor

GitHub Security Advisories

Published

May 11, 2026

Last Modified

May 16, 2026

🔗 CVE IDs covered (1)

CVE-2026-7210 →

📋 Description

`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\r\n\r\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch.

🔗 References (7)

https://nvd.nist.gov/vuln/detail/CVE-2026-7210
https://github.com/python/cpython/issues/149018
https://github.com/python/cpython/pull/149023
https://mail.python.org/archives/list/security-announce@python.org/thread/PNY5OMBDPM2FRUZTWFFPJ6LISWKV627K
http://www.openwall.com/lists/oss-security/2026/05/11/8
http://www.openwall.com/lists/oss-security/2026/05/11/13
https://github.com/advisories/GHSA-wxv8-w48j-r2f4