🟠 High  |  Source: Microsoft Security Response Center


CVE-2026-15308 is a denial-of-service vulnerability in Python’s incremental HTMLParser, where repeatedly feeding unterminated markup declarations causes excessive CPU consumption, potentially hanging or crashing affected services. Any Azure-hosted application or service that processes user-supplied HTML using Python’s built-in html.parser module may be exposed. An attacker able to submit crafted input could degrade or disrupt service availability without needing elevated privileges.

Security Architect’s Take: Audit Azure workloads and Azure Functions that accept and parse untrusted HTML input using Python’s html.parser, and prioritise patching to a fixed Python runtime version once available. In the interim, consider enforcing input size limits and timeouts on HTML parsing operations to constrain the blast radius of any exploitation attempt.

Original advisory: CVE-2026-15308 Incremental HTMLParser feed() allows CPU-exhaustion DoS via repeated unterminated markup declarations