Fluid Attacks Database

Description

xml.parsers.expat and xml.etree.ElementTree use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\r\n\r\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version
debian 12	python3.11	=3.11.2-6 \|\| =3.11.2-6+deb12u1 \|\| =3.11.2-6+deb12u2 \|\| =3.11.2-6+deb12u3 \|\| =3.11.2-6+deb12u4 \|\| =3.11.2-6+deb12u5 \|\| =3.11.2-6+deb12u6 \|\| =3.11.2-6+deb12u7 \|\| =3.11.3-1 \|\| =3.11.3-2 \|\| =3.11.4-1 \|\| =3.11.5-1 \|\| =3.11.5-2 \|\| =3.11.5-3 \|\| =3.11.6-1 \|\| =3.11.6-2 \|\| =3.11.6-3 \|\| =3.11.6-3~hurd.2 \|\| =3.11.7-1 \|\| =3.11.7-2 \|\| =3.11.8-1 \|\| =3.11.8-1.1~exp1 \|\| =3.11.8-1.1~exp2 \|\| =3.11.8-2 \|\| =3.11.8-3 \|\| =3.11.8-3+hurd.1 \|\| =3.11.9-1
debian 11	python3.9	=3.9.10-1 \|\| =3.9.10-2 \|\| =3.9.11-1 \|\| =3.9.12-1 \|\| =3.9.13-1 \|\| =3.9.2-1 \|\| =3.9.2-1+deb11u1 \|\| =3.9.2-1+deb11u2 \|\| =3.9.2-1+deb11u3 \|\| =3.9.2-1+deb11u4 \|\| =3.9.2-1+deb11u5 \|\| =3.9.2-1+deb11u6 \|\| =3.9.2-1+deb11u7 \|\| =3.9.3-1 \|\| =3.9.3-2 \|\| =3.9.4-1 \|\| =3.9.5-1 \|\| =3.9.5-2 \|\| =3.9.5-3 \|\| =3.9.6-1 \|\| =3.9.7-1 \|\| =3.9.7-2 \|\| =3.9.7-4 \|\| =3.9.8-1 \|\| =3.9.8-2 \|\| =3.9.9-1 \|\| =3.9.9-2 \|\| =3.9.9-3 \|\| =3.9.9-4
debian 11	pypy3	=7.3.10+dfsg-1 \|\| =7.3.10~rc3+dfsg-1 \|\| =7.3.10~rc3+dfsg-2 \|\| =7.3.11+dfsg-1 \|\| =7.3.11+dfsg-2 \|\| =7.3.12+dfsg-1 \|\| =7.3.12~rc1+dfsg-1 \|\| =7.3.12~rc2+dfsg-1 \|\| =7.3.13+dfsg-1 \|\| =7.3.14+dfsg-1 \|\| =7.3.15+dfsg-1 \|\| =7.3.16+dfsg-1 \|\| =7.3.16+dfsg-2 \|\| =7.3.17+dfsg-1 \|\| =7.3.17+dfsg-2 \|\| =7.3.17+dfsg-3 \|\| =7.3.18+dfsg-1 \|\| =7.3.18+dfsg-2 \|\| =7.3.19+dfsg-1 \|\| =7.3.19+dfsg-2 \|\| =7.3.20+dfsg-1 \|\| =7.3.20+dfsg-2 \|\| =7.3.20+dfsg-3 \|\| =7.3.20+dfsg-4 \|\| =7.3.21+dfsg-1 \|\| =7.3.21+dfsg-2 \|\| =7.3.21+dfsg-3 \|\| =7.3.21+dfsg-4 \|\| =7.3.22+dfsg-1 \|\| =7.3.5+dfsg-2 \|\| =7.3.5+dfsg-2+deb11u1 \|\| =7.3.5+dfsg-2+deb11u2 \|\| =7.3.5+dfsg-2+deb11u3 \|\| =7.3.5+dfsg-2+deb11u4 \|\| =7.3.5+dfsg-2+deb11u5 \|\| =7.3.6+dfsg-1 \|\| =7.3.6~rc2+dfsg-1 \|\| =7.3.6~rc2+dfsg-2 \|\| =7.3.7+dfsg-1 \|\| =7.3.7+dfsg-2 \|\| =7.3.7+dfsg-3 \|\| =7.3.7+dfsg-4 \|\| =7.3.7+dfsg-5 \|\| =7.3.8+dfsg-1 \|\| =7.3.8+dfsg-2 \|\| =7.3.8~rc1+dfsg-1 \|\| =7.3.8~rc1+dfsg-2 \|\| =7.3.9+dfsg-1 \|\| =7.3.9+dfsg-2 \|\| =7.3.9+dfsg-3 \|\| =7.3.9+dfsg-4 \|\| =7.3.9+dfsg-5
debian 12	pypy3	=7.3.11+dfsg-2 \|\| =7.3.11+dfsg-2+deb12u1 \|\| =7.3.11+dfsg-2+deb12u2 \|\| =7.3.11+dfsg-2+deb12u3 \|\| =7.3.12+dfsg-1 \|\| =7.3.12~rc1+dfsg-1 \|\| =7.3.12~rc2+dfsg-1 \|\| =7.3.13+dfsg-1 \|\| =7.3.14+dfsg-1 \|\| =7.3.15+dfsg-1 \|\| =7.3.16+dfsg-1 \|\| =7.3.16+dfsg-2 \|\| =7.3.17+dfsg-1 \|\| =7.3.17+dfsg-2 \|\| =7.3.17+dfsg-3 \|\| =7.3.18+dfsg-1 \|\| =7.3.18+dfsg-2 \|\| =7.3.19+dfsg-1 \|\| =7.3.19+dfsg-2 \|\| =7.3.20+dfsg-1 \|\| =7.3.20+dfsg-2 \|\| =7.3.20+dfsg-3 \|\| =7.3.20+dfsg-4 \|\| =7.3.21+dfsg-1 \|\| =7.3.21+dfsg-2 \|\| =7.3.21+dfsg-3 \|\| =7.3.21+dfsg-4 \|\| =7.3.22+dfsg-1
debian 13	pypy3	=7.3.19+dfsg-2 \|\| =7.3.20+dfsg-1 \|\| =7.3.20+dfsg-2 \|\| =7.3.20+dfsg-3 \|\| =7.3.20+dfsg-4 \|\| =7.3.21+dfsg-1 \|\| =7.3.21+dfsg-2 \|\| =7.3.21+dfsg-3 \|\| =7.3.21+dfsg-4 \|\| =7.3.22+dfsg-1
debian 14	pypy3	=7.3.19+dfsg-2 \|\| =7.3.20+dfsg-1 \|\| =7.3.20+dfsg-2 \|\| =7.3.20+dfsg-3 \|\| =7.3.20+dfsg-4 \|\| =7.3.21+dfsg-1 \|\| =7.3.21+dfsg-2 \|\| =7.3.21+dfsg-3 \|\| =7.3.21+dfsg-4 \|\| =7.3.22+dfsg-1
debian 11	python2.7	=2.7.18-10 \|\| =2.7.18-11 \|\| =2.7.18-12 \|\| =2.7.18-13 \|\| =2.7.18-13.1 \|\| =2.7.18-13.1~exp1 \|\| =2.7.18-13.2 \|\| =2.7.18-8 \|\| =2.7.18-8+deb11u1 \|\| =2.7.18-9
debian 13	python3.13	=3.13.11-1 \|\| =3.13.12-1 \|\| =3.13.5-2 \|\| =3.13.5-2+deb13u1 \|\| =3.13.5-2+deb13u2 \|\| =3.13.6-1 \|\| =3.13.7-1 \|\| =3.13.8-1 \|\| =3.13.9-1
debian 14	python3.13	=3.13.11-1 \|\| =3.13.12-1 \|\| =3.13.5-2 \|\| =3.13.6-1 \|\| =3.13.7-1 \|\| =3.13.8-1 \|\| =3.13.9-1
debian 14	python3.14	=3.14.0-1 \|\| =3.14.0-2 \|\| =3.14.0-3 \|\| =3.14.0-4 \|\| =3.14.0-5 \|\| =3.14.0~a7-1 \|\| =3.14.0~b1-1 \|\| =3.14.0~b2-1 \|\| =3.14.0~b3-1 \|\| =3.14.0~b4-1 \|\| =3.14.0~rc1-1 \|\| =3.14.0~rc2-1 \|\| =3.14.0~rc3-1 \|\| =3.14.2-1 \|\| =3.14.3-1 \|\| =3.14.3-2 \|\| =3.14.3-3 \|\| =3.14.3-4 \|\| =3.14.3-5 \|\| =3.14.4-1 \|\| =3.14.4-2 \|\| =3.14.5-1 \|\| =3.14.5~rc1-1

1-10 of 21

Aliases

1. CVE-2026-72102. NVD-2026-72103. OSV-DEBIAN-2026-72104. OSV-2026-72105. SECURITY-TRACKER-CVE-2026-7210

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.