Low severity3.3NVD Advisory· Published Mar 22, 2026· Updated Apr 29, 2026

CVE-2026-4539

Description

A security flaw has been discovered in pygments up to 2.19.2. The impacted element is the function AdlLexer of the file pygments/lexers/archetype.py. The manipulation results in inefficient regular expression complexity. The attack is only possible with local access. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
PygmentsPyPI	< 2.20.0	2.20.0

Affected products

Pygments/Pygmentsreferences

Patches

24b8aa76c6cd

fix(lexers): prevent ReDoS in archetype lexer GUID and ID patterns (#3064)

https://github.com/pygments/pygmentszam.Mar 25, 2026via ghsa

commit

1 file changed · +3 −3

pygments/lexers/archetype.py+3 −3 modified

@@ -35,8 +35,8 @@ class AtomsLexer(RegexLexer):
             (r'([ \t]*)(--.*)$', bygroups(Whitespace, Comment)),
         ],
         'archetype_id': [
-            (r'([ \t]*)(([a-zA-Z]\w+(\.[a-zA-Z]\w+)*::)?[a-zA-Z]\w+(-[a-zA-Z]\w+){2}'
-             r'\.\w+[\w-]*\.v\d+(\.\d+){,2}((-[a-z]+)(\.\d+)?)?)',
+            (r'([ \t]*)(([a-zA-Z]\w{1,100}(\.[a-zA-Z]\w{1,100})*::)?[a-zA-Z]\w{1,100}(-[a-zA-Z]\w{1,100}){2}'
+             r'\.\w{1,100}[\w-]*\.v\d+(\.\d+){,2}((-[a-z]+)(\.\d+)?)?)',
              bygroups(Whitespace, Name.Decorator)),
         ],
         'date_constraints': [
@@ -293,7 +293,7 @@ class AdlLexer(AtomsLexer):
             # numbers and version ids
             (r'\d+(\.\d+)*', Literal),
             # Guids
-            (r'(\d|[a-fA-F])+(-(\d|[a-fA-F])+){3,}', Literal),
+            (r'[0-9a-fA-F]{1,36}(-[0-9a-fA-F]{1,36}){3,}', Literal),
             (r'\w+', Name.Class),
             (r'"', String, 'string'),
             (r'=', Operator),

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-5239-wwwm-4pmqghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-4539ghsaADVISORY
github.com/pygments/pygments/commit/24b8aa76c6cd6d70f39c6dd605cce319c98e2cccghsaWEB
github.com/pygments/pygments/issues/3058nvdWEB
github.com/pygments/pygments/pull/3064ghsaWEB
github.com/pygments/pygments/releases/tag/2.20.0ghsaWEB
vuldb.comnvdWEB
vuldb.comnvdWEB
vuldb.comnvdWEB

News mentions

No linked articles in our index yet.

Severity

LowCVSS v3.1

3.3/ 10

CVSS v41.9

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Local
Complexity: Low
Privileges: Low
User interaction: None
Scope: Unchanged
Confidentiality: None
Integrity: None
Availability: Low

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

EPSS

Probability of exploitation in the next 30 days.

0.01%

VYPR risk score

Composite of severity, exploitation, and reach.

0.14low

cvss	0.214
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000

Weaknesses

CWE-1333
Inefficient Regular Expression Complexity
CWE-400
Uncontrolled Resource Consumption

CVE ID

CVE-2026-4539

Source code

Credits

Y(
ybdesire (VulDB User)
reporter
D
dnegreira
analyst · ghsa
N
nzlaura
analyst · ghsa