PYSEC-2026-1570

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/llama-index-readers-papers/PYSEC-2026-1570.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1570
Aliases
Published
2026-07-07T16:02:56.466649Z
Modified
2026-07-13T07:26:34.494956192Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
LlamaIndex has an XML Entity Expansion vulnerability in its sitemap parser
Details

An XML Entity Expansion vulnerability, also known as a 'billion laughs' attack, exists in the sitemap parser of the run-llama/llama_index repository, specifically affecting the Papers Loaders package before version 0.3.2 (in llama-index v0.10.0 and above through v0.12.29). This vulnerability allows an attacker to supply a malicious Sitemap XML, leading to a Denial of Service (DoS) by exhausting system memory and potentially causing a system crash. The issue is resolved in version 0.3.2 (in llama-index 0.12.29).

References

Affected packages

PyPI / llama-index-readers-papers

Package

Name
llama-index-readers-papers
View open source insights on deps.dev
Purl
pkg:pypi/llama-index-readers-papers

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.3.2

Affected versions

0.*
0.0.1
0.1.0
0.1.1
0.1.2
0.1.3
0.1.4
0.1.5
0.1.6
0.2.0
0.3.0
0.3.1

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/llama-index-readers-papers/PYSEC-2026-1570.yaml"