Skip to main content

Python Zeep

1 CVEs product

Monthly

CVE-2026-58501 PyPI MEDIUM PATCH This Month

Server-Side Request Forgery in Python Zeep 4.0.0 through 4.3.2 allows an attacker who can influence WSDL or XSD content parsed by the library to bypass the explicit `Settings.forbid_external` security control, causing the server to issue HTTP or HTTPS requests to attacker-chosen URLs via transitive xsd:import, xsd:include, wsdl:import, or lxml entity and DTD references. The vulnerability is particularly significant because it defeats a documented security setting that developers actively configure to prevent external fetching - applications relying on this control are silently unprotected. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.

SSRF Python Python Zeep
NVD GitHub VulDB
CVSS 3.1
5.9
EPSS
0.3%
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Server-Side Request Forgery in Python Zeep 4.0.0 through 4.3.2 allows an attacker who can influence WSDL or XSD content parsed by the library to bypass the explicit `Settings.forbid_external` security control, causing the server to issue HTTP or HTTPS requests to attacker-chosen URLs via transitive xsd:import, xsd:include, wsdl:import, or lxml entity and DTD references. The vulnerability is particularly significant because it defeats a documented security setting that developers actively configure to prevent external fetching - applications relying on this control are silently unprotected. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.

SSRF Python Python Zeep
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy