EUVD-2026-29178
Insufficient Entropy (CWE-331)
GHSA-wxv8-w48j-r2f4
6.3
CVSS 4.0
Share
CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X
Lifecycle Timeline
4
Source Code Evidence Fetched
May 11, 2026 - 18:47 vuln.today
Analysis Generated
May 11, 2026 - 18:47 vuln.today
CVSS changed
May 11, 2026 - 18:22 NVD
6.3 (MEDIUM)
CVE Published
May 11, 2026 - 17:19 nvd
MEDIUM 6.3
DescriptionNVD
xml.parsers.expat and xml.etree.ElementTree use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\r\n\r\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch.
AnalysisAI
XML parsers in CPython's xml.parsers.expat and xml.etree.ElementTree modules use insufficient entropy for Expat hash-flooding protection, allowing crafted XML documents to trigger algorithmic complexity attacks (hash flooding) that degrade parser performance. Remote attackers can exploit this with complex XML payloads to cause denial of service. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Vendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
Destination URL
POC code from unknown sources may be malicious, contain backdoors, or be fake.
Always review and test exploit code in a safe, isolated environment (VM/sandbox).
Verify the source reputation and cross-reference with known databases (Exploit-DB, GitHub Security).