id	summary	reporter	owner	description	type	status	priority	milestone	component	version	severity	resolution	keywords	cc
5934	Fix CVE-2026-7210 in Python	Douglas R. Reno	lfs-book	"While reviewing my email, I was greeted to another CPython security vulnerability, this time also valid for 3.14.5.

{{{
-------- Forwarded Message --------
Subject:     [Security-announce][CVE-2026-7210] The expat and elementtree parsers use insufficient entropy for XML hash-flooding protection
Date:     Mon, 11 May 2026 17:58:49 +0100
From:     Stan Ulbrych via Security-announce <security-announce@python.org>
Reply-To:     security-sig@python.org
To:     security-announce@python.org
CC:     Stan Ulbrych <stanulbrych@gmail.com>



There is a MEDIUM severity vulnerability affecting CPython.

`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.

Fully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch.

Please see the linked CVE ID for the latest information on affected versions:

* https://www.cve.org/CVERecord?id=CVE-2026-7210
* https://github.com/python/cpython/pull/149023
}}}

an insufficient entropy problem that also requires users to update to Expat 2.8.0 or later."	enhancement	new	high	13.1	Book	git	normal