CVE-2026-4539
low
CVSS v3
3.3
CVSS v2
1.7
VIR risk
3.3
Description
A security flaw has been discovered in pygments up to 2.19.2. The impacted element is the function AdlLexer of the file pygments/lexers/archetype.py. The manipulation results in inefficient regular expression complexity. The attack is only possible with local access. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Predictions
Exploit likelihood
34%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2026-4539
Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2026-4539.html
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| sles | affected | | |
| debian | bookworm | affected | |
| debian | bullseye | affected | |
| debian | forky | affected | |
| debian | sid | affected | |
| debian | trixie | affected | |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| PyPI | pygments | <2.20.0 | 2.20.0 |
References
- https://nvd.nist.gov/vuln/detail/CVE-2026-4539
- https://github.com/pygments/pygments/issues/3058
- https://github.com/pygments/pygments/pull/3064
- https://github.com/pygments/pygments/commit/24b8aa76c6cd6d70f39c6dd605cce319c98e2ccc
- https://github.com/pygments/pygments
- https://github.com/pygments/pygments/releases/tag/2.20.0
- https://vuldb.com/?ctiid.352327
- https://vuldb.com/?id.352327
- https://vuldb.com/?submit.774685
- https://github.com/pygments/pygments/
- https://www.suse.com/security/cve/CVE-2026-4539.html
- https://security-tracker.debian.org/tracker/CVE-2026-4539
CWEs
CWE-400 CWE-1333
Verify integrity in audit chain (admin only). AS-IS.