Fluid Attacks Database

Description

Pygments has Regular Expression Denial of Service (ReDoS) due to Inefficient Regex for GUID Matching A security flaw has been discovered in pygments before 2.20.0. The impacted element is the function AdlLexer of the file pygments/lexers/archetype.py. The manipulation results in inefficient regular expression complexity. The attack is only possible with local access. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	pygments	>=0 <2.20.0	2.20.0
debian 14	pygments	=2.18.0+dfsg-2 \|\| =2.19.2+dfsg-1	-
debian 11	pygments	=2.10.0+dfsg-1 \|\| =2.11.2+dfsg-1 \|\| =2.11.2+dfsg-2 \|\| =2.12.0+dfsg-1 \|\| =2.12.0+dfsg-1~exp1 \|\| =2.12.0+dfsg-2 \|\| =2.13.0+dfsg-1 \|\| =2.14.0+dfsg-1 \|\| =2.15.0+dfsg-1 \|\| =2.15.1+dfsg-1 \|\| =2.17.2+dfsg-1 \|\| =2.18.0+dfsg-1 \|\| =2.18.0+dfsg-2 \|\| =2.19.2+dfsg-1 \|\| =2.7.1+dfsg-2.1	-
rpm rhel10	python3.14-pip	-	-
rpm rhel9	python3.14-pip	-	-
debian 12	pygments	=2.14.0+dfsg-1 \|\| =2.15.0+dfsg-1 \|\| =2.15.1+dfsg-1 \|\| =2.17.2+dfsg-1 \|\| =2.18.0+dfsg-1 \|\| =2.18.0+dfsg-2 \|\| =2.19.2+dfsg-1	-
debian 13	pygments	=2.18.0+dfsg-2 \|\| =2.19.2+dfsg-1	-

Aliases

1. CVE-2026-45392. NVD-2026-45393. OSV-2026-45394. OSV-DEBIAN-2026-45395. GCVE-2026-45396. SECURITY-TRACKER-CVE-2026-4539

References

1. https://github.com/pygments/pygments/issues/30582. https://github.com/pygments/pygments/pull/30643. https://github.com/pygments/pygments/commit/24b8aa76c6cd6d70f39c6dd605cce319c98e2ccc4. https://github.com/pygments/pygments/releases/tag/2.20.0

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.