CVE-2026-41066

NameCVE-2026-41066
Descriptionlxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files. Setting the resolve_entities option explicitly to resolve_entities='internal' or resolve_entities=False disables the local file access. This vulnerability is fixed in 6.1.0.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
lxml (PTS)bullseye (security), bullseye4.6.3+dfsg-0.1+deb11u1vulnerable
bookworm4.9.2-1vulnerable
trixie5.4.0-1vulnerable
forky6.0.2-1vulnerable
sid6.1.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
lxmlsource(unstable)6.1.0-1

Notes

https://github.com/lxml/lxml/security/advisories/GHSA-vfmq-68hx-4jfw
https://bugs.launchpad.net/lxml/+bug/2146291
Search for package or bug name: Reporting problems