CVE-2026-41066

HIGH
Improper Restriction of XML External Entity Reference (CWE-611)
2026-04-21 https://github.com/lxml/lxml GHSA-vfmq-68hx-4jfw
XXE
7.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

DescriptionNVD

Impact

Using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files.

Patches

lxml 6.1.0 changes the default to resolve_entities='internal', thus disallowing local file access by default.

Workarounds

Setting the resolve_entities option explicitly to resolve_entities='internal' or resolve_entities=False disables the local file access.

Resources

Original report: https://bugs.launchpad.net/lxml/+bug/2146291

The default option was changed to resolve_entities='internal' for the normal XML and HTML parsers in lxml 5.0. The default was not changed for iterparse() and ETCompatXMLParser() at the time. lxml 6.1 makes the safe option the default for all parsers.

Analysis

Using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files. lxml 6.1.0 changes the default to resolve_entities='internal', thus disallowing local file access by default. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-41066 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy