CVE-2026-41080

low-risk

Published 2026-04-16

libexpat before 2.8.0 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document.

Do I need to act?

0.03% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 2.9/10 Low

LOCAL / HIGH complexity

Libexpat

Libexpat Project

https://blog.hartwork.org/posts/expat-2-8-0-released/

Issue Tracking https://github.com/libexpat/libexpat/issues/47

Issue Tracking https://github.com/libexpat/libexpat/pull/1183

https://www.openwall.com/lists/oss-security/2026/04/26/1

http://www.openwall.com/lists/oss-security/2026/04/26/1

/ 100

low-risk

Severity 8/34 · Low

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal