CVE-2026-41066

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions lxml versions prior to 6.1.0

Description Using the default configuration with the resolve entities variable set to True allows untrusted XML input to read local files. This issue affects the iterparse() and ETCompatXMLParser() functions.

Recommendations Update to version 6.1.0. As a temporary workaround, explicitly set the resolve entities variable to internal or False to disable local file access.

Exploit

Fix

XXE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-611

Related Identifiers

CVE-2026-41066

ECHO-E83F-9E30-4171

GHSA-VFMQ-68HX-4JFW

OESA-2026-2008

OESA-2026-2009

OESA-2026-2010

OESA-2026-2011

OESA-2026-2012

OPENSUSE-SU-2026:10596-1

PYSEC-2026-87

Affected Products

Lxml

CVE-2026-41066

Weakness Enumeration

Related Identifiers

Affected Products

References · 31