GHSA-vfmq-68hx-4jfw

The default option was changed to resolve_entities='internal' for the normal XML and HTML parsers in lxml 5.0. The default was not changed for iterparse() and ETCompatXMLParser() at the time. lxml 6.1 makes the safe option the default for all parsers.

Database specific

{
    "github_reviewed_at": "2026-04-21T20:38:44Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-611"
    ],
    "nvd_published_at": null,
    "severity": "HIGH"
}

References

Affected packages

PyPI / lxml

Package

Name: lxml; View open source insights on deps.dev
Purl: pkg:pypi/lxml

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.1.0

Affected versions

1.*

1.3.2

1.3.3

1.3.4

1.3.5

1.3.6

2.*

2.0

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.0.9

2.0.10

2.0.11

2.1

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.2

2.2.1

2.2.2

2.2.3

2.2.4

2.2.5

2.2.6

2.2.7

2.2.8

2.3

2.3.1

2.3.2

2.3.3

2.3.4

2.3.5

2.3.6

3.*

3.0

3.0.2

3.1.0

3.1.1

3.1.2

3.2.0

3.2.1

3.2.2

3.2.3

3.2.4

3.2.5

3.3.0

3.3.1

3.3.2

3.3.3

3.3.4

3.3.5

3.3.6

3.4.0

3.4.1

3.4.2

3.4.3

3.4.4

3.5.0

3.6.0

3.6.1

3.6.2

3.6.3

3.6.4

3.7.0

3.7.1

3.7.2

3.7.3

3.8.0

4.*

4.0.0

4.1.0

4.1.1

4.2.0

4.2.1

4.2.2

4.2.3

4.2.4

4.2.5

4.2.6

4.3.0

4.3.2

4.3.3

4.3.4

4.3.5

4.4.0

4.4.1

4.4.2

4.4.3

4.5.0

4.5.1

4.5.2

4.6.0

4.6.1

4.6.2

4.6.3

4.6.4

4.6.5

4.7.1

4.8.0

4.9.0

4.9.1

4.9.2

4.9.3

4.9.4

5.*

5.0.0

5.0.1

5.0.2

5.1.0

5.1.1

5.2.0

5.2.1

5.2.2

5.3.0

5.3.1

5.3.2

5.4.0

6.*

6.0.0

6.0.1

6.0.2

6.0.3

6.0.4

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-vfmq-68hx-4jfw/GHSA-vfmq-68hx-4jfw.json"