Infinite loop Affecting justhtml package, versions [,1.18.0)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-PYTHON-JUSTHTML-16635077
- published11 May 2026
- disclosed8 May 2026
- creditEmilStenstrom
Introduced: 8 May 2026
New CVE NOT AVAILABLE CWE-407 (opens in a new tab)How to fix?
Upgrade justhtml to version 1.18.0 or higher.
Overview
justhtml is an A pure Python HTML5 parser that just works.
Affected versions of this package are vulnerable to Infinite loop in the handling of CSS selectors and linkification processes. An attacker can cause excessive CPU or memory consumption by supplying specially crafted selector strings or punctuation-heavy input, leading to repeated rescanning or non-terminating traversals. This can be achieved by passing attacker-controlled selectors to query, matches, or selector-based transforms, or by enabling linkification on large, untrusted text inputs. Programmatically constructed malformed DOM graphs from untrusted sources can also trigger these effects.