Sign In

CVE-2026-41066

ADVISORY - github

Summary

Impact

Using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files.

Patches

lxml 6.1.0 changes the default to resolve_entities='internal', thus disallowing local file access by default.

Workarounds

Setting the resolve_entities option explicitly to resolve_entities='internal' or resolve_entities=False disables the local file access.

Resources

Original report: https://bugs.launchpad.net/lxml/+bug/2146291

The default option was changed to resolve_entities='internal' for the normal XML and HTML parsers in lxml 5.0. The default was not changed for iterparse() and ETCompatXMLParser() at the time. lxml 6.1 makes the safe option the default for all parsers.

Common Weakness Enumeration (CWE)

ADVISORY - github

CWE-611

Improper Restriction of XML External Entity Reference

Impacted images

Advisories

GitHub

CREATED

UPDATED

ADVISORY IDGHSA-vfmq-68hx-4jfw
EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-611

CVSS SCORE

7.5high