pygments

PyPI5 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting pygmentspage 1 of 1

CVE-2015-8557CRITICALCVSS 9.0EG 9.0✓ Fixed in 2.1
2016-01-08
vulnerable: 1.2.2 ... 2.0rc1 (11 versions)
The FontManager._get_nix_font_path function in formatters/img.py in Pygments 1.2.2 through 2.0.2 allows remote attackers to execute arbitrary commands via shell metacharacters in a font name.
CVE-2021-20270HIGHCVSS 7.5EG 7.5✓ Fixed in 2.7.4
2021-03-23
vulnerable: 1.5 ... 2.7.3 (25 versions)
An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword.
CVE-2021-27291HIGHCVSS 7.5EG 7.5✓ Fixed in 2.7.4
2021-03-17
vulnerable: 1.1 ... 2.7.3 (33 versions)
In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting …
CVE-2022-40896MEDIUMCVSS 5.5EG 5.5✓ Fixed in 2.15.1
2023-07-19
vulnerable: 0.10 ... 2.9.0 (57 versions)
A ReDoS issue was discovered in pygments/lexers/smithy.py in pygments through 2.15.0 via SmithyLexer.
CVE-2026-4539LOWCVSS 3.3EG 3.3✓ Fixed in 2.20.0
2026-03-22
vulnerable: 0.10 ... 2.9.0 (67 versions)
A security flaw has been discovered in pygments up to 2.19.2. The impacted element is the function AdlLexer of the file pygments/lexers/archetype.py. The manipulation results in inefficient regular expression complexity. The attack is only…

Check whether pygments is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for pygments CVEs against the assets you own.

Start Free Scan →