CVE-2026-49476
Summary
The CSS selector parser in soupsieve (the CSS selector engine for Beautiful Soup 4) allocates unbounded memory when compiling large comma-separated selector lists. An attacker who can supply a crafted CSS selector string to soupsieve.compile() or Beautiful Soup's .select() / .select_one() can cause the application to allocate hundreds of megabytes of heap memory from a relatively small input, leading to memory exhaustion and denial of service.
To be completely transparent, AI tools helped surface this issue. However, it was independently reproduced and carefully validated. Researchers follow responsible disclosure practices and originally shared this report privately.
A 500 KB selector string triggers allocation of approximately 244 MB of heap memory - a 488x— amplification ratio.
Details
Affected code:** soupsieve/css_parser.py, lines ~204, 925, 1106
The soupsieve CSS parser splits comma-separated selector lists and creates one CSSSelector object per list item. Each CSSSelector object contains parsed selector data structures including SelectorList, Selector, and associated tag/attribute/pseudo-class metadata.
When a selector string such as a,a,a,... (with 250,000 comma-separated items) is passed to sv.compile(), the parser:
1. Tokenises the entire string and identifies each comma-delimited segment (line ~1106)
2. Parses each segment into a full Selector object with all associated metadata (line ~925)
3. Stores all parsed selectors in a SelectorList (line ~204)
Root cause: No limit is enforced on the number of selectors in a comma-separated list. The parser will attempt to parse and store an arbitrary number of selectors, with each selector object consuming approximately 976 bytes of heap memory. The total allocation scales linearly with the number of list items, but the amplification ratio (output memory / input bytes) is extremely high because each single-character selector like a expands into a complex object graph.
Attack surface: Any applicati
⚡ Watch CVE-2026-49476
Get an email if CVE-2026-49476 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.
Advisory coverage (1)
External references
Embed the live status
— this badge updates automatically when the KEV or exploit status changes. How to embed it →
[](https://www.csirts.com/cve/CVE-2026-49476)