Soup Sieve is a CSS selector library designed to be used with Beautiful Soup 4. Prior to 2.8.4, the CSS selector parser in soupsieve contains a regular expression vulnerable to catastrophic backtracking when processing an attribute selector with an unterminated quoted value in soupsieve/css_parser.py, allowing an attacker who can supply untrusted CSS selector strings to soupsieve.compile() or Beautiful Soup .select() / .select_one() to cause CPU exhaustion and denial of service. This issue is fixed in version 2.8.4.

Project Subscriptions

Vendors Products
Hummingbird Subscribe
Advisories
Source ID Title
Github GHSA Github GHSA GHSA-836r-79rf-4m37 Soup Sieve: Regular Expression Denial of Service (ReDoS) via Selector Parser
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Thu, 16 Jul 2026 00:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat hummingbird
CPEs cpe:/a:redhat:hummingbird:1
Vendors & Products Redhat
Redhat hummingbird
References
Metrics threat_severity

None

threat_severity

Important


Tue, 14 Jul 2026 21:15:00 +0000

Type Values Removed Values Added
Description Soup Sieve is a CSS selector library designed to be used with Beautiful Soup 4. Prior to 2.8.4, the CSS selector parser in soupsieve contains a regular expression vulnerable to catastrophic backtracking when processing an attribute selector with an unterminated quoted value in soupsieve/css_parser.py, allowing an attacker who can supply untrusted CSS selector strings to soupsieve.compile() or Beautiful Soup .select() / .select_one() to cause CPU exhaustion and denial of service. This issue is fixed in version 2.8.4.
Title Soup Sieve: Regular Expression Denial of Service (ReDoS) in soupsieve Selector Parser
Weaknesses CWE-1333
CWE-400
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}


Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-14T20:51:29.369Z

Reserved: 2026-05-30T04:17:43.095Z

Link: CVE-2026-49477

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-07-14T20:51:29Z

Links: CVE-2026-49477 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-07-16T01:45:04Z

Weaknesses