pygments-2.19.2-py3-none-any.whl: 1 vulnerabilities (highest severity is: 3.3)

[mend-bolt-for-github]

Vulnerable Library - pygments-2.19.2-py3-none-any.whl

Pygments is a syntax highlighting package written in Python.

Library home page: https://files.pythonhosted.org/packages/c7/21/705964c7812476f378728bdf590ca4b771ec72385c533964653c68e86bdc/pygments-2.19.2-py3-none-any.whl

Found in HEAD commit: bf9b5034b2c35dc796e701683484607b4e0bbde4

Vulnerabilities

Vulnerability	Severity	CVSS	Dependency	Type	Fixed in (pygments version)	Remediation Possible**
CVE-2026-4539	Low	3.3	pygments-2.19.2-py3-none-any.whl	Direct	N/A	❌

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2026-4539

Vulnerable Library - pygments-2.19.2-py3-none-any.whl

Pygments is a syntax highlighting package written in Python.

Library home page: https://files.pythonhosted.org/packages/c7/21/705964c7812476f378728bdf590ca4b771ec72385c533964653c68e86bdc/pygments-2.19.2-py3-none-any.whl

Dependency Hierarchy:

• ❌ pygments-2.19.2-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: bf9b5034b2c35dc796e701683484607b4e0bbde4

Found in base branch: master

Vulnerability Details

A security flaw has been discovered in pygments up to 2.19.2. The impacted element is the function AdlLexer of the file pygments/lexers/archetype.py. The manipulation results in inefficient regular expression complexity. The attack is only possible with local access. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

Publish Date: 2026-03-22

URL: CVE-2026-4539

CVSS 3 Score Details (3.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

[secure-code-warrior-for-github]

Micro-Learning Topic: Inefficient regular expression (Detected by phrase)

Matched on "inefficient regular expression"

What is this? (2min video)

A regular expression that requires exponential time to match certain inputs can be a performance bottleneck, and may be vulnerable to denial-of-service attacks.

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Vulnerable library (Detected by phrase)

Matched on "Vulnerable Library"

What is this? (2min video)

Use of vulnerable components will introduce weaknesses into the application. Components with published vulnerabilities will allow easy exploitation as resources will often be available to automate the process.

Try a challenge in Secure Code Warrior

[joseguzman1337]

CVE-2026-4539 in pygments-2.19.2 has no available fix (Low severity, CVSS 3.3). No patched version exists upstream at this time. Tracking as accepted risk.