{"id":"CVE-2026-41066","summary":"lxml: Default configuration of iterparse() and ETCompatXMLParser() allows XXE to local files","details":"lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files. Setting the resolve_entities option explicitly to resolve_entities='internal' or resolve_entities=False disables the local file access. This vulnerability is fixed in 6.1.0.","aliases":["GHSA-vfmq-68hx-4jfw","PYSEC-2026-87"],"modified":"2026-06-18T03:57:09.801109545Z","published":"2026-04-24T16:45:19.617Z","related":["CGA-48q6-wgrm-m89m","SUSE-SU-2026:21587-1","SUSE-SU-2026:21603-1","SUSE-SU-2026:21731-1","openSUSE-SU-2026:10596-1","openSUSE-SU-2026:20737-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41066.json","cwe_ids":["CWE-611"],"cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://bugs.launchpad.net/lxml/+bug/2146291"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41066.json"},{"type":"ADVISORY","url":"https://github.com/lxml/lxml/security/advisories/GHSA-vfmq-68hx-4jfw"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41066"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/lxml/lxml","events":[{"introduced":"0"},{"fixed":"43722f4402afa48b7890a96ce012eb0b9b1af5be"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"6.1.0"},{"introduced":"0"},{"fixed":"6.1.0"}],"source":["AFFECTED_FIELD","CPE_RANGE"],"cpe":"cpe:2.3:a:lxml:lxml:*:*:*:*:*:*:*:*"}}],"versions":["lxml-6.0.4","lxml-6.0.3","lxml-6.0.2","lxml-6.0.1","lxml-6.0.0","lxml-5.3.0","lxml-5.2.1","lxml-5.2.0","lxml-5.1.1","lxml-5.1.0-2","lxml-5.1.0-1","lxml-5.1.0","lxml-5.0.0","lxml-4.9.2","lxml-5.0a0","lxml-4.9.1","lxml-4.9.0","lxml-4.8.0","lxml-4.7.1","lxml-4.7.0","lxml-4.7.0-pre","lxml-4.6.3","lxml-4.6.2","lxml-4.6.1","lxml-4.6.0","lxml-4.5.2","lxml-4.5.1","lxml-4.5.0","lxml-4.4.1","lxml-4.4.0","lxml-4.3.2","lxml-4.3.1","lxml-4.3.0","lxml-4.2.2","lxml-4.2.1","lxml-4.2.0","lxml-4.1.1","lxml-4.1.0","lxml-4.0.0","lxml-3.8.0-py27fix","lxml-3.8.0","lxml-3.7.2","lxml-3.7.1","lxml-3.7.0","lxml-3.6.1","lxml-3.6.0","lxml-3.5.0","lxml-3.5.0b1","lxml-3.4.1","lxml-3.4.0","lxml-3.4.0beta1","lxml-3.3.3","lxml-3.3.2","lxml-3.3.1","lxml-3.3.0","lxml-3.3.0beta5","lxml-3.3.0beta4","lxml-3.3.0beta3","lxml-3.3.0beta2","lxml-3.3.0beta1","lxml-3.2.3","lxml-3.2.2","lxml-3.2.1","lxml-3.2.0","lxml-3.1.1","lxml-3.1.0","lxml-3.1beta1","lxml-3.0.1","lxml-3.0","lxml-3.0beta1","lxml-3.0alpha2","lxml-3.0alpha1","lxml-2.3.1","lxml-2.3","lxml-2.3beta1","lxml-2.3alpha2","lxml-2.3alpha1","lxml-2.2.2","lxml-2.2.1","lxml-2.2","lxml-2.1","lxml-2.1beta3","lxml-2.1beta2","lxml-2.1beta1","lxml-2.1alpha1","lxml-2.0.1","lxml-2.0","lxml-2.0beta2","lxml-2.0beta1","lxml-2.0alpha6","lxml-2.0alpha5","lxml-2.0alpha4","lxml-2.0alpha3","lxml-2.0alpha2","lxml-2.0alpha1","lxml-1.2","lxml-1.1","lxml-1.1beta","lxml-1.1alpha","lxml-1.0","lxml-1.0.beta","lxml-0.9","lxml-0.7","lxml-0.6","lxml-0.5.1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-41066.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}