PYSEC-2026-87
See a problem?- Import Source
- https://github.com/pypa/advisory-database/blob/main/vulns/lxml/PYSEC-2026-87.yaml
- JSON Data
- https://api.osv.dev/v1/vulns/PYSEC-2026-87
- Aliases
-
- CVE-2026-41066
- GHSA-vfmq-68hx-4jfw
- Published
- 2026-04-24T17:16:20.933Z
- Modified
- 2026-05-20T09:19:06.179641Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration (with resolveentities=True) allows untrusted XML input to read local files. Setting the resolveentities option explicitly to resolveentities='internal' or resolveentities=False disables the local file access. This vulnerability is fixed in 6.1.0.
- References
Affected packages
PyPI / lxml
Package
- Name
- lxml
- View open source insights on deps.dev
- Purl
- pkg:pypi/lxml
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.1.0
Affected versions
1.*
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6
2.*
2.0
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9
2.0.10
2.0.11
2.1
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.2
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8
2.3
2.3.1
2.3.2
2.3.3
2.3.4
2.3.5
2.3.6
3.*
3.0
3.0.2
3.1.0
3.1.1
3.1.2
3.2.0
3.2.1
3.2.2
3.2.3
3.2.4
3.2.5
3.3.0
3.3.1
3.3.2
3.3.3
3.3.4
3.3.5
3.3.6
3.4.0
3.4.1
3.4.2
3.4.3
3.4.4
3.5.0
3.6.0
3.6.1
3.6.2
3.6.3
3.6.4
3.7.0
3.7.1
3.7.2
3.7.3
3.8.0
4.*
4.0.0
4.1.0
4.1.1
4.2.0
4.2.1
4.2.2
4.2.3
4.2.4
4.2.5
4.2.6
4.3.0
4.3.2
4.3.3
4.3.4
4.3.5
4.4.0
4.4.1
4.4.2
4.4.3
4.5.0
4.5.1
4.5.2
4.6.0
4.6.1
4.6.2
4.6.3
4.6.4
4.6.5
4.7.1
4.8.0
4.9.0
4.9.1
4.9.2
4.9.3
4.9.4
5.*
5.0.0
5.0.1
5.0.2
5.1.0
5.1.1
5.2.0
5.2.1
5.2.2
5.3.0
5.3.1
5.3.2
5.4.0
6.*
6.0.0
6.0.1
6.0.2
6.0.3
6.0.4