Skip to main content

Pygments CVE-2026-4539

| EUVD-2026-14287 LOW
Inefficient Regular Expression Complexity (ReDoS) (CWE-1333)
2026-03-22 VulDB GHSA-5239-wwwm-4pmq
Denial Of Service Pygments
1.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
1.9 LOW
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
1.7 LOW
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Red Hat
3.3 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

9
Severity Changed
Apr 29, 2026 - 01:11 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:11 NVD
4.8 (MEDIUM) 1.9 (LOW)
Severity Changed
Apr 24, 2026 - 16:37 NVD
LOW MEDIUM
CVSS changed
Apr 24, 2026 - 16:37 NVD
3.3 (LOW) 4.8 (MEDIUM)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
PoC Detected
Mar 23, 2026 - 14:31 vuln.today
Public exploit code
EUVD ID Assigned
Mar 22, 2026 - 06:00 euvd
EUVD-2026-14287
Analysis Generated
Mar 22, 2026 - 06:00 vuln.today
CVE Published
Mar 22, 2026 - 05:35 nvd
LOW 3.3

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 109,949 pypi packages depend on pygments (2,840 direct, 107,577 indirect)

Ecosystem-wide dependent count for version 2.20.0.

DescriptionCVE.org

A security flaw has been discovered in pygments up to 2.19.2. The impacted element is the function AdlLexer of the file pygments/lexers/archetype.py. The manipulation results in inefficient regular expression complexity. The attack is only possible with local access. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

A regular expression denial-of-service (ReDoS) vulnerability exists in Pygments up to version 2.19.2, specifically in the AdlLexer component within pygments/lexers/archetype.py. An attacker with local access can craft malicious input that triggers inefficient regex pattern matching, causing high CPU consumption and service degradation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment While the CVSS score of 3.3 is low, the risk assessment must consider multiple factors: the attack vector is local with low privilege requirements (AV:L/AC:L/PR:L), indicating this is not an easily exploitable remote vulnerability in typical deployments. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local user with legitimate system access submits a specially-crafted archetype file (containing malformed ADL syntax designed to trigger ReDoS) to a documentation generation system or code analysis tool that uses Pygments. The AdlLexer attempts to parse the file, and the inefficient regex matching causes the process to consume 100% CPU for extended periods, starving other system processes and causing service degradation or timeout. …
Remediation The primary remediation is to upgrade Pygments to a version newer than 2.19.2 once a patch is released by the project maintainers. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

During next maintenance window: Apply vendor patches when convenient. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

Debian

pygments
Release Status Fixed Version Urgency
bullseye vulnerable 2.7.1+dfsg-2.1 -
bookworm vulnerable 2.14.0+dfsg-1 -
trixie vulnerable 2.18.0+dfsg-2 -
forky, sid vulnerable 2.19.2+dfsg-1 -
(unstable) fixed (unfixed) -

SUSE

Severity: Low
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Affected
SUSE Linux Enterprise Server 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Server for SAP Applications 15 SP7 Affected

Share

CVE-2026-4539 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy