Action not permitted
Modal body text goes here.
Modal Title
Modal Body
GHSA-VFMQ-68HX-4JFW
Vulnerability from github – Published: 2026-04-21 20:38 – Updated: 2026-06-06 00:59
VLAI
Summary
lxml: Default configuration of iterparse() and ETCompatXMLParser() allows XXE to local files
Details
Impact
Using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files.
Patches
lxml 6.1.0 changes the default to resolve_entities='internal', thus disallowing local file access by default.
Workarounds
Setting the resolve_entities option explicitly to resolve_entities='internal' or resolve_entities=False disables the local file access.
Resources
Original report: https://bugs.launchpad.net/lxml/+bug/2146291
The default option was changed to resolve_entities='internal' for the normal XML and HTML parsers in lxml 5.0. The default was not changed for iterparse() and ETCompatXMLParser() at the time. lxml 6.1 makes the safe option the default for all parsers.
Severity
7.5 (High)
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "lxml"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-41066"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-21T20:38:44Z",
"nvd_published_at": "2026-04-24T17:16:20Z",
"severity": "HIGH"
},
"details": "### Impact\nUsing either of the two parsers in the default configuration (with `resolve_entities=True`) allows untrusted XML input to read local files.\n\n### Patches\nlxml 6.1.0 changes the default to `resolve_entities=\u0027internal\u0027`, thus disallowing local file access by default.\n\n### Workarounds\nSetting the `resolve_entities` option explicitly to `resolve_entities=\u0027internal\u0027` or `resolve_entities=False` disables the local file access.\n\n### Resources\nOriginal report: https://bugs.launchpad.net/lxml/+bug/2146291\n\nThe default option was changed to `resolve_entities=\u0027internal\u0027` for the normal XML and HTML parsers in lxml 5.0. The default was not changed for `iterparse()` and `ETCompatXMLParser()` at the time. lxml 6.1 makes the safe option the default for all parsers.",
"id": "GHSA-vfmq-68hx-4jfw",
"modified": "2026-06-06T00:59:15Z",
"published": "2026-04-21T20:38:44Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/lxml/lxml/security/advisories/GHSA-vfmq-68hx-4jfw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41066"
},
{
"type": "WEB",
"url": "https://bugs.launchpad.net/lxml/+bug/2146291"
},
{
"type": "PACKAGE",
"url": "https://github.com/lxml/lxml"
},
{
"type": "WEB",
"url": "https://github.com/lxml/lxml/releases/tag/lxml-6.1.0"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/lxml/PYSEC-2026-87.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "lxml: Default configuration of iterparse() and ETCompatXMLParser() allows XXE to local files"
}
cleanstart-2026-nm83456
Vulnerability from cleanstart
Published
2026-06-11 00:58
Modified
2026-06-10 12:40
Summary
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python
Details
Multiple security vulnerabilities affect the airflow-2 package. AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. See references for individual vulnerability details.
Severity
9.8 (Critical)
References
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "airflow-2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.10.3-r2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the airflow-2 package. AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-NM83456",
"modified": "2026-06-10T12:40:12Z",
"published": "2026-06-11T00:58:47.477773Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-NM83456.json"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-12797"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-52303"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-52304"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-56201"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-56326"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-24023"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-27516"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-32962"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-43859"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-4565"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-53643"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-57804"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-58065"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-68480"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-69223"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-69224"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-69225"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-69226"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-69227"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-69228"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-69229"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-69230"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-0994"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-21226"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-22815"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-23490"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-26007"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27205"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-34073"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-34513"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-34514"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-34515"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-34516"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-34517"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-34518"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-34519"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-34520"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-34525"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-41066"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-41205"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-44307"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-44405"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-44503"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-45409"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-27jp-wm6q-gp25"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-27mf-ghqm-j3j8"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-29h4-r29x-hchv"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-2g68-c3qc-8985"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-2h4p-vjrc-8xpq"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-2vrm-gr82-f7m5"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-2xpw-w6gg-jr37"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-38jv-5279-wg99"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-3wq7-rqq7-wx6j"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-428g-f7cq-pgp5"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-5239-wwwm-4pmq"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-54jq-c3m8-4m76"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-58pv-8j8x-9vj2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-5rjg-fvgr-3xxf"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-63hf-3vf5-4wqf"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-63vm-454h-vhhq"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-65pc-fj4g-8rjx"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-68rp-wp8r-4726"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-6jhg-hg63-jvvf"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-6mq8-rvhq-8wgg"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-752w-5fwx-jx9f"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-765j-9r45-w2q2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-78cv-mqj4-43f7"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-79v4-65xg-pq4g"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-7cx3-6m66-7c5m"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-7gcm-g887-7qv7"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-7j59-v9qr-6fq9"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-847f-9342-265h"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-8495-4g3g-x7pr"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-87hc-h4r5-73f7"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-8qvm-5x2c-j2w7"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-8rrh-rw8j-w5fx"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-8w49-h785-mj3c"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-9548-qrrj-x5pj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-966j-vmvw-g2g9"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-9hjg-9r4m-mvj7"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-c427-h43c-vf67"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-cpwx-vrp4-4pq7"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-f9vj-2wh5-fj8j"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-fh55-r93g-j68g"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-fqwm-6jpj-5wxc"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-g84x-mcqj-x9qq"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-gc5v-m9x4-r6x2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-gm62-xv2j-4w53"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-gmj6-6f8f-6699"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-h4gh-qq45-vh27"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-hcc4-c3v8-rx92"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-hgf8-39gv-g3f2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-hrfv-mqp8-q5rw"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-jm66-cg57-jjv5"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-jr27-m4p2-rc6r"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-m5qp-6w8w-w647"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-mf9w-mj56-hr94"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-mrfv-m5wm-5w6w"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-mwh4-6h8g-pg8w"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-p8q5-cvwx-wvwp"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-p998-jp59-783m"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-pq67-6m6q-mj2v"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-q2x7-8rv6-6q7h"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-q34m-jh98-gwm2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-qccp-gfcp-xxvc"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-qjxf-f2mg-c6mc"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-r244-wg5g-6w2r"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-r6ph-v2qm-q3c2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-v92g-xgxw-vvmm"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-vfmq-68hx-4jfw"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-vqfr-h8mv-ghfj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-w2fm-2cpv-w7v5"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12797"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52303"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52304"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56201"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56326"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24023"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27516"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32962"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43859"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4565"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53643"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57804"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58065"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68480"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69223"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69224"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69225"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69226"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69227"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69228"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69229"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69230"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0994"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21226"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22815"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23490"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26007"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27205"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34073"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34513"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34514"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34515"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34516"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34517"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34518"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34519"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34520"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34525"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41066"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41205"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44307"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44405"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44503"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45409"
}
],
"related": [],
"schema_version": "1.7.3",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python",
"upstream": [
"CVE-2024-12797",
"CVE-2024-52303",
"CVE-2024-52304",
"CVE-2024-56201",
"CVE-2024-56326",
"CVE-2025-24023",
"CVE-2025-27516",
"CVE-2025-32962",
"CVE-2025-43859",
"CVE-2025-4565",
"CVE-2025-53643",
"CVE-2025-57804",
"CVE-2025-58065",
"CVE-2025-68480",
"CVE-2025-69223",
"CVE-2025-69224",
"CVE-2025-69225",
"CVE-2025-69226",
"CVE-2025-69227",
"CVE-2025-69228",
"CVE-2025-69229",
"CVE-2025-69230",
"CVE-2026-0994",
"CVE-2026-21226",
"CVE-2026-22815",
"CVE-2026-23490",
"CVE-2026-26007",
"CVE-2026-27205",
"CVE-2026-34073",
"CVE-2026-34513",
"CVE-2026-34514",
"CVE-2026-34515",
"CVE-2026-34516",
"CVE-2026-34517",
"CVE-2026-34518",
"CVE-2026-34519",
"CVE-2026-34520",
"CVE-2026-34525",
"CVE-2026-41066",
"CVE-2026-41205",
"CVE-2026-44307",
"CVE-2026-44405",
"CVE-2026-44503",
"CVE-2026-45409",
"ghsa-27jp-wm6q-gp25",
"ghsa-27mf-ghqm-j3j8",
"ghsa-29h4-r29x-hchv",
"ghsa-2g68-c3qc-8985",
"ghsa-2h4p-vjrc-8xpq",
"ghsa-2vrm-gr82-f7m5",
"ghsa-2xpw-w6gg-jr37",
"ghsa-38jv-5279-wg99",
"ghsa-3wq7-rqq7-wx6j",
"ghsa-428g-f7cq-pgp5",
"ghsa-5239-wwwm-4pmq",
"ghsa-54jq-c3m8-4m76",
"ghsa-58pv-8j8x-9vj2",
"ghsa-5rjg-fvgr-3xxf",
"ghsa-63hf-3vf5-4wqf",
"ghsa-63vm-454h-vhhq",
"ghsa-65pc-fj4g-8rjx",
"ghsa-68rp-wp8r-4726",
"ghsa-6jhg-hg63-jvvf",
"ghsa-6mq8-rvhq-8wgg",
"ghsa-752w-5fwx-jx9f",
"ghsa-765j-9r45-w2q2",
"ghsa-78cv-mqj4-43f7",
"ghsa-79v4-65xg-pq4g",
"ghsa-7cx3-6m66-7c5m",
"ghsa-7gcm-g887-7qv7",
"ghsa-7j59-v9qr-6fq9",
"ghsa-847f-9342-265h",
"ghsa-8495-4g3g-x7pr",
"ghsa-87hc-h4r5-73f7",
"ghsa-8qvm-5x2c-j2w7",
"ghsa-8rrh-rw8j-w5fx",
"ghsa-8w49-h785-mj3c",
"ghsa-9548-qrrj-x5pj",
"ghsa-966j-vmvw-g2g9",
"ghsa-9hjg-9r4m-mvj7",
"ghsa-c427-h43c-vf67",
"ghsa-cpwx-vrp4-4pq7",
"ghsa-f9vj-2wh5-fj8j",
"ghsa-fh55-r93g-j68g",
"ghsa-fqwm-6jpj-5wxc",
"ghsa-g84x-mcqj-x9qq",
"ghsa-gc5v-m9x4-r6x2",
"ghsa-gm62-xv2j-4w53",
"ghsa-gmj6-6f8f-6699",
"ghsa-h4gh-qq45-vh27",
"ghsa-hcc4-c3v8-rx92",
"ghsa-hgf8-39gv-g3f2",
"ghsa-hrfv-mqp8-q5rw",
"ghsa-jm66-cg57-jjv5",
"ghsa-jr27-m4p2-rc6r",
"ghsa-m5qp-6w8w-w647",
"ghsa-mf9w-mj56-hr94",
"ghsa-mrfv-m5wm-5w6w",
"ghsa-mwh4-6h8g-pg8w",
"ghsa-p8q5-cvwx-wvwp",
"ghsa-p998-jp59-783m",
"ghsa-pq67-6m6q-mj2v",
"ghsa-q2x7-8rv6-6q7h",
"ghsa-q34m-jh98-gwm2",
"ghsa-qccp-gfcp-xxvc",
"ghsa-qjxf-f2mg-c6mc",
"ghsa-r244-wg5g-6w2r",
"ghsa-r6ph-v2qm-q3c2",
"ghsa-v92g-xgxw-vvmm",
"ghsa-vfmq-68hx-4jfw",
"ghsa-vqfr-h8mv-ghfj",
"ghsa-w2fm-2cpv-w7v5"
]
}
CVE-2026-41066 (GCVE-0-2026-41066)
Vulnerability from cvelistv5 – Published: 2026-04-24 16:45 – Updated: 2026-04-24 18:04
VLAI
EPSS
Title
lxml: Default configuration of iterparse() and ETCompatXMLParser() allows XXE to local files
Summary
lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files. Setting the resolve_entities option explicitly to resolve_entities='internal' or resolve_entities=False disables the local file access. This vulnerability is fixed in 6.1.0.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/lxml/lxml/security/advisories/… | x_refsource_CONFIRM |
| https://bugs.launchpad.net/lxml/+bug/2146291 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41066",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-24T18:03:40.722204Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T18:04:04.548Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "lxml",
"vendor": "lxml",
"versions": [
{
"status": "affected",
"version": "\u003c 6.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files. Setting the resolve_entities option explicitly to resolve_entities=\u0027internal\u0027 or resolve_entities=False disables the local file access. This vulnerability is fixed in 6.1.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611: Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T16:45:19.617Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/lxml/lxml/security/advisories/GHSA-vfmq-68hx-4jfw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/lxml/lxml/security/advisories/GHSA-vfmq-68hx-4jfw"
},
{
"name": "https://bugs.launchpad.net/lxml/+bug/2146291",
"tags": [
"x_refsource_MISC"
],
"url": "https://bugs.launchpad.net/lxml/+bug/2146291"
}
],
"source": {
"advisory": "GHSA-vfmq-68hx-4jfw",
"discovery": "UNKNOWN"
},
"title": "lxml: Default configuration of iterparse() and ETCompatXMLParser() allows XXE to local files"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41066",
"datePublished": "2026-04-24T16:45:19.617Z",
"dateReserved": "2026-04-16T16:43:03.174Z",
"dateUpdated": "2026-04-24T18:04:04.548Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
PYSEC-2026-87
Vulnerability from pysec - Published: 2026-04-24 17:16 - Updated: 2026-05-20 09:19
VLAI
Details
lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files. Setting the resolve_entities option explicitly to resolve_entities='internal' or resolve_entities=False disables the local file access. This vulnerability is fixed in 6.1.0.
Severity
7.5 (High)
Impacted products
| Name | purl | lxml | pkg:pypi/lxml |
|---|
Aliases
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "lxml",
"purl": "pkg:pypi/lxml"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.1.0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.3.2",
"1.3.3",
"1.3.4",
"1.3.5",
"1.3.6",
"2.0",
"2.0.10",
"2.0.11",
"2.0.4",
"2.0.5",
"2.0.6",
"2.0.7",
"2.0.8",
"2.0.9",
"2.1",
"2.1.1",
"2.1.2",
"2.1.3",
"2.1.4",
"2.1.5",
"2.2",
"2.2.1",
"2.2.2",
"2.2.3",
"2.2.4",
"2.2.5",
"2.2.6",
"2.2.7",
"2.2.8",
"2.3",
"2.3.1",
"2.3.2",
"2.3.3",
"2.3.4",
"2.3.5",
"2.3.6",
"3.0",
"3.0.2",
"3.1.0",
"3.1.1",
"3.1.2",
"3.2.0",
"3.2.1",
"3.2.2",
"3.2.3",
"3.2.4",
"3.2.5",
"3.3.0",
"3.3.1",
"3.3.2",
"3.3.3",
"3.3.4",
"3.3.5",
"3.3.6",
"3.4.0",
"3.4.1",
"3.4.2",
"3.4.3",
"3.4.4",
"3.5.0",
"3.6.0",
"3.6.1",
"3.6.2",
"3.6.3",
"3.6.4",
"3.7.0",
"3.7.1",
"3.7.2",
"3.7.3",
"3.8.0",
"4.0.0",
"4.1.0",
"4.1.1",
"4.2.0",
"4.2.1",
"4.2.2",
"4.2.3",
"4.2.4",
"4.2.5",
"4.2.6",
"4.3.0",
"4.3.2",
"4.3.3",
"4.3.4",
"4.3.5",
"4.4.0",
"4.4.1",
"4.4.2",
"4.4.3",
"4.5.0",
"4.5.1",
"4.5.2",
"4.6.0",
"4.6.1",
"4.6.2",
"4.6.3",
"4.6.4",
"4.6.5",
"4.7.1",
"4.8.0",
"4.9.0",
"4.9.1",
"4.9.2",
"4.9.3",
"4.9.4",
"5.0.0",
"5.0.1",
"5.0.2",
"5.1.0",
"5.1.1",
"5.2.0",
"5.2.1",
"5.2.2",
"5.3.0",
"5.3.1",
"5.3.2",
"5.4.0",
"6.0.0",
"6.0.1",
"6.0.2",
"6.0.3",
"6.0.4"
]
}
],
"aliases": [
"CVE-2026-41066",
"GHSA-vfmq-68hx-4jfw"
],
"details": "lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files. Setting the resolve_entities option explicitly to resolve_entities=\u0027internal\u0027 or resolve_entities=False disables the local file access. This vulnerability is fixed in 6.1.0.",
"id": "PYSEC-2026-87",
"modified": "2026-05-20T09:19:06.179641Z",
"published": "2026-04-24T17:16:20.933Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/lxml/lxml/security/advisories/GHSA-vfmq-68hx-4jfw"
},
{
"type": "REPORT",
"url": "https://bugs.launchpad.net/lxml/+bug/2146291"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…