CVE-2026-15308 Python vulnerability
The incremental HTML parser (html.parser.HTMLParser) allows for CPU denial-of-service through repeated unterminated markup declarations when processing uncontrolled data.
Quick answer
Python should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.
Who is affected
Affected versions
- CPython versions before a vendor patch for CVE-2026-15308; the CVE record lists versions before 3.15.0 as affected
Fixed versions
- Vendor-supported patched Python build for CVE-2026-15308
How to fix it
CVE-2026-15308 affects CPython html.parser.HTMLParser when uncontrolled data containing repeated unterminated markup declarations is processed incrementally. The impact is CPU denial of service, so prioritize public services, crawlers, ingestion workers, and APIs that parse user-controlled or remote HTML with html.parser. The CVE record currently identifies pre-3.15.0 CPython versions as affected, while downstream vendors may ship backported fixes before application teams move to a new Python feature release. Apply the vendor-supported patched Python package when available and add input bounds around untrusted HTML parsing until every runtime is remediated.
- Inventory Python runtimes, containers, serverless images, crawlers, ingestion workers, and applications that use html.parser.HTMLParser or libraries that wrap it.
- Identify CPython versions and vendor packages affected by CVE-2026-15308, including long-lived base images and embedded Python runtimes.
- Upgrade to a vendor-supported Python package that includes the CPython fix for CVE-2026-15308, or to a fixed upstream release when available for the deployed branch.
- Add request-size, parse-time, worker-timeout, and queue-depth limits around untrusted HTML parsing workflows while remediation is pending.
- Prefer hardened HTML parsing strategies for untrusted data and avoid feeding attacker-controlled incremental fragments directly into HTMLParser without bounds.
- Review application, worker, and infrastructure metrics for CPU spikes, parser timeouts, repeated unterminated markup input, or denial-of-service patterns.
- If exploitation is suspected, preserve sample payloads, scale or isolate affected workers, and rotate credentials exposed to degraded services as needed.
Scan now. Google sign-in is only needed to unlock fix guidance.
Verify the fix
- Confirm runtime package metadata shows a vendor-patched Python build or fixed upstream release for CVE-2026-15308.
- Confirm parser workloads enforce input size, time, and resource limits for uncontrolled HTML.
- Run focused regression tests with repeated unterminated markup declarations and confirm CPU use remains bounded.
- Rerun dependency, container, and host vulnerability scans to confirm vulnerable Python packages are no longer reported where vendor fixes exist.
- Document patched runtime versions, image digests, resource limits, test evidence, and any temporary compensating controls.
Related categories
Trusted references
FAQ
What is affected by CVE-2026-15308?
Python versions listed as affected should be reviewed: CPython versions before a vendor patch for CVE-2026-15308; the CVE record lists versions before 3.15.0 as affected.
What should I fix first?
Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.
How do I confirm the fix worked?
Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.
How are Fixnx security risk categories chosen?
Fixnx keeps one canonical risk page and assigns only broad, relevant categories such as ecosystem, technology area, or vulnerability class.
