EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in the soupsieve package, specifically versions <= 2.8.3, which is a CSS selector engine for Beautiful Soup 4. The vulnerabilities are of the types Regular Expression Denial of Service (ReDoS) and Memory Exhaustion, allowing for uncontrolled resource consumption. These vulnerabilities pose a significant business risk, as they can be exploited to cause denial of service, slowing down or crashing applications that rely on the soupsieve package.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in the soupsieve package, specifically versions <= 2.8.3, which is a CSS selector engine for Beautiful Soup 4. The vulnerabilities are of the types Regular Expression Denial of Service (ReDoS) and Memory Exhaustion, allowing for uncontrolled resource consumption. These vulnerabilities pose a significant business risk, as they can be exploited to cause denial of service, slowing down or crashing applications that rely on the soupsieve package.[emaillocker id="1283"]
• CVE-2026-49477 with a CVSS score of 7.5 – This vulnerability is a Regular Expression Denial of Service (ReDoS) that occurs when the CSS selector parser in soupsieve encounters an attribute selector with an unterminated quoted value, causing catastrophic backtracking and allowing an attacker to hang the application for an extended period with a small payload.
• CVE-2026-49476 with a CVSS score of 7.5 – This vulnerability is a Memory Exhaustion issue where the CSS selector parser in soupsieve allocates unbounded memory when compiling large comma-separated selector lists, allowing an attacker to cause memory exhaustion and denial of service with a relatively small input.
The overall risk and urgency of these vulnerabilities are high, as they can be easily exploited by attackers to cause significant business consequences, including denial of service, application crashes, and memory exhaustion, ultimately leading to revenue loss and reputational damage.
RECOMMENDATION:
We recommend you to update soupsieve to version 2.8.4.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-836r-79rf-4m37
https://github.com/advisories/GHSA-2wc2-fm75-p42x