2.19.1
2.19.2
2.19.3
2.19.3
2.20.0
A Denial of Service (DoS) vulnerability has been identified in Pygments versions 2.9.0 and earlier. This flaw resides within the AdlLexer function of the archetype.py file, where malicious manipulation can trigger inefficient regular expression complexity. Successful exploitation requires local access and could lead to system resource exhaustion, impacting application availability.
The vulnerability allows an attacker with local access to trigger a denial-of-service condition within Pygments. By crafting specific input that exploits the inefficient regular expression handling in the AdlLexer, an attacker can consume excessive system resources, potentially leading to application crashes or system instability. While the vulnerability requires local access, this could be a significant risk in environments where local access controls are weak or compromised. The impact is primarily focused on resource exhaustion rather than data compromise, but prolonged DoS could disrupt critical services.
A proof-of-concept exploit for CVE-2026-4539 has been publicly released, indicating a potential for active exploitation. The vulnerability was reported early and remains unaddressed by the project. The CVSS score is LOW, suggesting a limited attack surface and impact, but the availability of a PoC increases the risk of opportunistic attacks.
Exploit Status
EPSS
0.01% (3% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-4539 is to upgrade Pygments to version 2.20.0 or later, which contains the fix. If upgrading is not immediately feasible, consider restricting local access to the system running Pygments. While a direct WAF rule is unlikely to be effective due to the nature of the vulnerability, monitoring system resource usage (CPU, memory) for unusual spikes could provide an early warning sign of exploitation. There are no specific detection signatures available at this time.
Update the pygments library to a version later than 2.19.2. This will fix the denial of service vulnerability caused by inefficient regular expression complexity in the AdlLexer lexer.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-4539 is a Denial of Service vulnerability in Pygments versions 2.9.0 and earlier, allowing attackers with local access to cause resource exhaustion through inefficient regular expression handling.
You are affected if you are using Pygments versions 2.9.0 or earlier. Upgrade to 2.20.0 or later to mitigate the risk.
Upgrade Pygments to version 2.20.0 or later. If immediate upgrade is not possible, restrict local access to systems running Pygments.
A public proof-of-concept exploit exists, suggesting a potential for active exploitation, although confirmed exploitation is not yet widespread.
Check the Pygments project's website and GitHub repository for updates and advisories related to CVE-2026-4539.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.