EUVD-2026-14287
GHSA-5239-wwwm-4pmq
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
5Tags
Description
A security flaw has been discovered in pygments up to 2.19.2. The impacted element is the function AdlLexer of the file pygments/lexers/archetype.py. The manipulation results in inefficient regular expression complexity. The attack is only possible with local access. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Analysis
A regular expression denial-of-service (ReDoS) vulnerability exists in Pygments up to version 2.19.2, specifically in the AdlLexer component within pygments/lexers/archetype.py. An attacker with local access can craft malicious input that triggers inefficient regex pattern matching, causing high CPU consumption and service degradation. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
During next maintenance window: Apply vendor patches when convenient. Monitor vendor channels for updates.
Sign in for detailed remediation steps.
Priority Score
Vendor Status
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | vulnerable | 2.7.1+dfsg-2.1 | - |
| bookworm | vulnerable | 2.14.0+dfsg-1 | - |
| trixie | vulnerable | 2.18.0+dfsg-2 | - |
| forky, sid | vulnerable | 2.19.2+dfsg-1 | - |
| (unstable) | fixed | (unfixed) | - |
Share
External POC / Exploit Code
Leaving vuln.today