What is CVE-2026-4539?

CVE-2026-4539 is a low-severity vulnerability in Pygments, classified under Uncontrolled Resource Consumption. CVSS score: 3.3/10. Published 2026-03-22.

How severe is CVE-2026-4539?

Low severity. CVSS v3 base score is 3.3 out of 10.

Resource exhaustion in Pygments

CVE-2026-4539

A security flaw has been discovered in pygments up to 2.19.2. The impacted element is the function AdlLexer of the file pygments/lexers/archetype.py. The manipulation results in inefficient regular expression complexity. The attack is only…

Vulnerability class: DoS (Denial of Service)

EPSS: 0.000 (0.7th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 3.3 (Low). Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L.

Affected products

N/a Pygments — versions 2.19.0, 2.19.1, 2.19.2

Weakness classification (CWE)

References

VDB-352327 | pygments archetype.py AdlLexer redos (technical-description, vdb-entry)
VDB-352327 | CTI Indicators (IOB, IOC, TTP, IOA) (signature, permissions-required)
Submit #774685 | pygments <=2.19.2 Denial of Service (third-party-advisory)
cna@vuldb.com (issue-tracking, exploit)
cna@vuldb.com (product)

Frequently asked questions

What is CVE-2026-4539?: CVE-2026-4539 is a low-severity vulnerability in Pygments, classified under Uncontrolled Resource Consumption. CVSS score: 3.3/10. Published 2026-03-22.
How severe is CVE-2026-4539?: Low severity. CVSS v3 base score is 3.3 out of 10.