{"data":{"id":"c6e63498-a0b1-43d4-a4b1-a12e19c83dcf","title":"GHSA-2wc2-fm75-p42x: Soup Sieve has Memory Exhaustion via Large Comma-Separated Selector Lists","summary":"Soupsieve (the CSS selector engine for Beautiful Soup 4) has a memory exhaustion vulnerability where the CSS parser allocates unbounded memory when compiling large comma-separated selector lists. An attacker can supply a crafted CSS selector string to `soupsieve.compile()` or Beautiful Soup's `.select()` method to cause the application to allocate hundreds of megabytes of memory from a small input, leading to denial of service (making the application unavailable by consuming all available memory).","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-2wc2-fm75-p42x","publishedAt":"2026-07-09T13:37:40.000Z","cveId":"CVE-2026-49476","cweIds":null,"cvssScore":null,"cvssSeverity":"high","severity":"high","attackType":["denial_of_service"],"issueType":"vulnerability","affectedPackages":["soupsieve@<= 2.8.3 (fixed: 2.8.4)"],"affectedVendors":["HuggingFace"],"affectedVendorsRaw":["Beautiful Soup 4","soupsieve"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-07-09T13:37:40.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["availability"],"aiComponentTargeted":"framework","llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":null}}