CVE-2026-41066
lxml: Default configuration of iterparse() and ETCompatXMLParser() allows XXE to local files
CVSS Score
7.5
EPSS Score
0.0%
EPSS Percentile
0th
lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files. Setting the resolve_entities option explicitly to resolve_entities='internal' or resolve_entities=False disables the local file access. This vulnerability is fixed in 6.1.0.
| CWE | CWE-611 |
| Vendor | lxml |
| Product | lxml |
| Published | Apr 24, 2026 |
| Last Updated | Apr 24, 2026 |
Stay Ahead of the Next One
Get instant alerts for lxml lxml
Be the first to know when new high vulnerabilities affecting lxml lxml are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Affected Versions
lxml / lxml
< 6.1.0