CVE-2026-4539: Pygments has Regular Expression Denial of Service (ReDoS) due to Inefficient Regex for GUID Matching

March 22, 2026 (updated March 24, 2026)

A security flaw has been discovered in pygments up to 2.19.2. The impacted element is the function AdlLexer of the file pygments/lexers/archetype.py. The manipulation results in inefficient regular expression complexity. The attack is only possible with local access. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

References

github.com/advisories/GHSA-5239-wwwm-4pmq
github.com/pygments/pygments
github.com/pygments/pygments/issues/3058
nvd.nist.gov/vuln/detail/CVE-2026-4539
vuldb.com/?ctiid.352327
vuldb.com/?id.352327
vuldb.com/?submit.774685

Code Behaviors & Features

Detect and mitigate CVE-2026-4539 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →