{"ecosystem":"pypi","package":"Pygments","version":null,"bugs":[{"id":359,"ecosystem":"pypi","package_name":"Pygments","affected_version":"1.1","fixed_version":"2.7.4","bug_id":"osv:GHSA-pq64-v7f5-gqh8","title":"Pygments vulnerable to Regular Expression Denial of Service (ReDoS)","description":"In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service.","severity":"high","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-27291","labels":["CVE-2021-27291","PYSEC-2021-141"],"created_at":"2026-04-19T04:31:21.228048+00:00","updated_at":"2026-04-19T04:31:21.228048+00:00"},{"id":356,"ecosystem":"pypi","package_name":"Pygments","affected_version":"1.5","fixed_version":"2.7.4","bug_id":"osv:GHSA-9w8r-397f-prfh","title":"Infinite Loop in Pygments","description":"An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the \"exception\" keyword.","severity":"high","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-20270","labels":["CVE-2021-20270","PYSEC-2021-140"],"created_at":"2026-04-19T04:31:21.226216+00:00","updated_at":"2026-04-19T04:31:21.226216+00:00"},{"id":363,"ecosystem":"pypi","package_name":"Pygments","affected_version":null,"fixed_version":"2.15.1","bug_id":"osv:PYSEC-2023-117","title":"PYSEC-2023-117: advisory","description":"A ReDoS issue was discovered in pygments/lexers/smithy.py in pygments through 2.15.0 via SmithyLexer.","severity":"medium","status":"fixed","source":"osv","source_url":"https://pypi.org/project/Pygments/","labels":["CVE-2022-40896","GHSA-mrwq-x4v8-fh7p"],"created_at":"2026-04-19T04:31:21.230017+00:00","updated_at":"2026-04-19T04:31:21.230017+00:00"},{"id":362,"ecosystem":"pypi","package_name":"Pygments","affected_version":null,"fixed_version":"2e7e8c4a7b318f4032493773732754e418279a14","bug_id":"osv:PYSEC-2021-141","title":"PYSEC-2021-141: advisory","description":"In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service.","severity":"medium","status":"fixed","source":"osv","source_url":"https://gist.github.com/b-c-ds/b1a2cc0c68a35c57188575eb496de5ce","labels":["CVE-2021-27291","GHSA-pq64-v7f5-gqh8"],"created_at":"2026-04-19T04:31:21.229518+00:00","updated_at":"2026-04-19T04:31:21.229518+00:00"},{"id":361,"ecosystem":"pypi","package_name":"Pygments","affected_version":"1.5","fixed_version":"2.7.4","bug_id":"osv:PYSEC-2021-140","title":"PYSEC-2021-140: advisory","description":"An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the \"exception\" keyword.","severity":"medium","status":"fixed","source":"osv","source_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1922136","labels":["CVE-2021-20270","GHSA-9w8r-397f-prfh"],"created_at":"2026-04-19T04:31:21.229057+00:00","updated_at":"2026-04-19T04:31:21.229057+00:00"},{"id":360,"ecosystem":"pypi","package_name":"Pygments","affected_version":"1.2.2","fixed_version":"2.1","bug_id":"osv:PYSEC-2016-32","title":"PYSEC-2016-32: advisory","description":"The FontManager._get_nix_font_path function in formatters/img.py in Pygments 1.2.2 through 2.0.2 allows remote attackers to execute arbitrary commands via shell metacharacters in a font name.","severity":"medium","status":"fixed","source":"osv","source_url":"http://packetstormsecurity.com/files/133823/Pygments-FontManager._get_nix_font_path-Shell-Injection.html","labels":["CVE-2015-8557","GHSA-fff8-4w9p-7v76"],"created_at":"2026-04-19T04:31:21.228604+00:00","updated_at":"2026-04-19T04:31:21.228604+00:00"},{"id":358,"ecosystem":"pypi","package_name":"Pygments","affected_version":null,"fixed_version":"2.15.0","bug_id":"osv:GHSA-mrwq-x4v8-fh7p","title":"Pygments vulnerable to ReDoS","description":"A ReDoS issue was discovered in `pygments/lexers/smithy.py` in Pygments until 2.15.0 via SmithyLexer.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-40896","labels":["CVE-2022-40896","PYSEC-2023-117"],"created_at":"2026-04-19T04:31:21.227514+00:00","updated_at":"2026-04-19T04:31:21.227514+00:00"},{"id":355,"ecosystem":"pypi","package_name":"Pygments","affected_version":null,"fixed_version":"2.20.0","bug_id":"osv:GHSA-5239-wwwm-4pmq","title":"Pygments has Regular Expression Denial of Service (ReDoS) due to Inefficient Regex for GUID Matching","description":"A security flaw has been discovered in pygments before 2.20.0. The impacted element is the function AdlLexer of the file pygments/lexers/archetype.py. The manipulation results in inefficient regular expression complexity. The attack is only possible with local access. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.","severity":"low","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-4539","labels":["CVE-2026-4539"],"created_at":"2026-04-19T04:31:21.224736+00:00","updated_at":"2026-04-19T04:31:21.224736+00:00"},{"id":357,"ecosystem":"pypi","package_name":"Pygments","affected_version":"1.2.2","fixed_version":"2.1","bug_id":"osv:GHSA-fff8-4w9p-7v76","title":"Command Injection in Pygments","description":"The FontManager._get_nix_font_path function in formatters/img.py in Pygments 1.2.2 through 2.0.2 allows remote attackers to execute arbitrary commands via shell metacharacters in a font name.","severity":"critical","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2015-8557","labels":["CVE-2015-8557","PYSEC-2016-32"],"created_at":"2026-04-19T04:31:21.226851+00:00","updated_at":"2026-04-19T04:31:21.226851+00:00"}],"total":9,"_cache":"miss"}