PYSEC-2026-2058

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/xml2rfc/PYSEC-2026-2058.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-2058
Aliases
Published
2026-07-07T16:03:02.110703Z
Modified
2026-07-07T17:48:17.468662428Z
Severity
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
xml2rfc has an arbitrary file read vulnerability
Details

Impact

When generating PDF files, this vulnerability allows an attacker to read arbitrary files from the filesystem by injecting malicious link element into the XML.

Workarounds

Test untrusted input with link elements with rel="attachment" before processing.

Credits

This vulnerability was reported by Mohamed Ouad from Doyensec.

References

Affected packages

PyPI / xml2rfc

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.30.1

Affected versions

2.*
2.2.5
2.2.7
2.3.0
2.3.1
2.3.2
2.3.3
2.3.4
2.3.5
2.3.6
2.3.7
2.3.8
2.3.9
2.3.10
2.3.11
2.3.11.1
2.3.11.2
2.3.11.3
2.4.0
2.4.1
2.4.2
2.4.3
2.4.4
2.4.5
2.4.6
2.4.7
2.4.8
2.4.9
2.4.10.dev0
2.4.10
2.4.11
2.4.12
2.5.0
2.5.1
2.5.2
2.5.3.dev0
2.6.0
2.6.1
2.6.2
2.7.0
2.8.0
2.8.1
2.8.2
2.8.3
2.8.4
2.8.5
2.9.0
2.9.1
2.9.2
2.9.3
2.9.4
2.9.5
2.9.6
2.9.7
2.9.8
2.9.9
2.10.0
2.10.1
2.10.2
2.10.3
2.11.0
2.11.1
2.12.0
2.12.1
2.12.2
2.12.3
2.13.0
2.13.1
2.14.0
2.14.1
2.15.0
2.15.1
2.15.2
2.15.3
2.15.4
2.15.5
2.16.0
2.16.1
2.16.2
2.16.3
2.17.0
2.17.1
2.17.2
2.18.0
2.19.0
2.19.1
2.20.0
2.20.1
2.21.0
2.21.1
2.22.0
2.22.1
2.22.2
2.22.3
2.23.0
2.23.1
2.24.0
2.25.0
2.26.0
2.27.0
2.27.1
2.28.0
2.29.0
2.29.1
2.30.0
2.31.0
2.32.0
2.33.0
2.34.0
2.35.0
2.36.0
2.37.0
2.37.1
2.37.2
2.37.3
2.38.0
2.38.1
2.39.0
2.40.0
2.40.1
2.41.0
2.42.0
2.43.0
2.44.0
2.45.0
2.45.1
2.45.2
2.45.3
2.46.0
2.47.0
3.*
3.0.0
3.1.0
3.1.1
3.2.0
3.2.1
3.3.0
3.4.0
3.5.0
3.6.0
3.7.0
3.8.0
3.9.0
3.9.1
3.10.0
3.11.0
3.11.1
3.12.0
3.12.1
3.12.2
3.12.3
3.12.4
3.12.5
3.12.6
3.12.7
3.12.8
3.12.9
3.12.10
3.13.0
3.13.1
3.14.0
3.14.1
3.14.2
3.15.0
3.15.1
3.15.2
3.15.3
3.16.0
3.17.0
3.17.1
3.17.2
3.17.3
3.17.4
3.17.5
3.18.0
3.18.1
3.18.2
3.19.0
3.19.1
3.19.2
3.19.3
3.19.4
3.20.0
3.20.1
3.21.0
3.22.0
3.23.0
3.23.1
3.23.2
3.24.0
3.25.0
3.26.0
3.27.0
3.28.0
3.28.1
3.29.0
3.30.0

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/xml2rfc/PYSEC-2026-2058.yaml"