CVE-2026-55206
CVE-2026-55206 is a high-severity vulnerability with a CVSS 4.0 base score of 8.7. The underlying weakness is classified as CWE-407.
Key facts
- Severity: High (CVSS 4.0 base score 8.7)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-407
- Published:
- Last modified:
Description
py7zr is a Python-based library and utility to support 7zip archive compression, decompression, encryption and decryption. Prior to 1.1.3, PackInfo._read() in archiveinfo.py used an O(n^2) cumulative sum pattern for attacker-controlled numstreams values parsed from archive headers, allowing a crafted .7z archive to cause excessive CPU consumption during SevenZipFile.init() before extraction. This issue is fixed in version 1.1.3.
Frequently asked questions
- What is CVE-2026-55206?
- py7zr is a Python-based library and utility to support 7zip archive compression, decompression, encryption and decryption. Prior to 1.1.3, PackInfo._read() in archiveinfo.py used an O(n^2) cumulative sum pattern for attacker-controlled numstreams values parsed from archive headers, allowing a crafted .7z archive to cause excessive CPU consumption during SevenZipFile.init() before extraction. This issue is fixed in version 1.1.3.
- How severe is CVE-2026-55206?
- CVE-2026-55206 has a CVSS 4.0 base score of 8.7, rated high severity.
- Is CVE-2026-55206 being actively exploited?
- It is not currently listed in CISA's Known Exploited Vulnerabilities catalog, and no EPSS exploit-prediction score is available yet.
- How do I fix CVE-2026-55206?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- When was CVE-2026-55206 published?
- CVE-2026-55206 was published on 2026-07-08.
References
- https://github.com/miurahr/py7zr/commit/d7aa3a197d15c75a65b24f796d3a69f83806d3f8
- https://github.com/miurahr/py7zr/releases/tag/v1.1.3
- https://github.com/miurahr/py7zr/security/advisories/GHSA-h4gh-22qq-72r7
Other CWE-407 vulnerabilities
- CVE-2026-57480 — High (CVSS 8.7): Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to…
- CVE-2026-59880 — High (CVSS 8.7): Immutable.js provides many Persistent Immutable data structures. Prior to 4.3.9 and 5.1.8, Immutable.Map and…
- CVE-2026-58226 — High (CVSS 8.7): Inefficient Algorithmic Complexity vulnerability in elixir-mint hpax allows unauthenticated denial-of-service via…
- CVE-2026-54892 — High (CVSS 8.7): Inefficient algorithmic complexity in Plug's nested-parameter decoder allows an unauthenticated remote attacker to…
- CVE-2026-56669 — High (CVSS 7.5): Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation, and client-server…
- CVE-2026-59928 — High (CVSS 7.5): Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, a Markdown document containing many…