## CVE-2026-4539: Local ReDoS in Pygments' AdlLexer Poses Transitive Dependency Risk
A newly disclosed vulnerability, CVE-2026-4539, exposes a local attack vector within the widely used Python syntax highlighter, Pygments. The flaw is a ReDoS (Regular Expression Denial-of-Service) vulnerability located specifically in the `AdlLexer` component within `pygments/lexers/archetype.py`. Critically, exploitation requires an attacker to have local access to the affected system, which significantly limits its immediate remote threat but creates a distinct insider risk profile.

The vulnerability exists in Pygments versions prior to 2.20.0, with version 2.19.2 being the current affected release. The security exposure is amplified by its nature as a transitive dependency; Pygments is not directly pinned in many project configurations but is pulled in indirectly through popular documentation toolchains like `mkdocs-material` and `docling`. This creates a hidden supply-chain risk where developers may be unaware of the vulnerable component embedded within their build or documentation systems.

For most teams, the direct impact on CI/CD pipelines or production environments is assessed as low due to the local-only access requirement. However, the situation underscores the persistent challenge of managing transitive dependencies in modern software ecosystems. The recommended fix is not a direct action but requires vigilant monitoring for upstream updates to `mkdocs-material` or `docling` that will eventually pull in the patched Pygments version 2.20.0. This creates a window of exposure where systems remain vulnerable until those intermediary packages are updated, highlighting a dependency management gap.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: CVE, ReDoS, Supply Chain, Python, Transitive Dependency
- **Credibility**: unverified
- **Published**: 2026-04-06 07:27:10
- **ID**: 51131
- **URL**: https://whisperx.ai/en/intel/51131