CVE-2026-41066
Severity
High
CVSS score
7.5Package
lxmlAffected versions
>= 5.4.0-1The use of either XML parser in the default configuration, with `resolve_entities=True`, permits untrusted XML input to access local files. In lxml version 6.1.0, the default setting was updated to `resolve_entities='internal'`, preventing local file access by default. To mitigate this issue, users can explicitly set the `resolve_entities` option to either `resolve_entities='internal'` or `resolve_entities=False`. The default option was originally changed to `resolve_entities='internal'` for the standard XML and HTML parsers in lxml version 5.0; however, `iterparse()` and `ETCompatXMLParser()` retained the previous default. With lxml 6.1, the safer option is now the default across all parsers.
NVD Record:
References:
- https://github.com/lxml/lxml/security/advisories/GHSA-vfmq-68hx-4jfw
- https://bugs.launchpad.net/lxml/+bug/2146291
- https://github.com/lxml/lxml/releases/tag/lxml-6.1.0
- https://github.com/pypa/advisory-database/tree/main/vulns/lxml/PYSEC-2026-87.yaml
- https://github.com/advisories/GHSA-vfmq-68hx-4jfw