CVE-2026-58501
Zeep SSRF because Settings.forbid_external is not enforced
CVSS Score
5.9
EPSS Score
0.0%
EPSS Percentile
0th
Zeep is a Python SOAP client. From 4.0.0 before 4.3.3, Settings.forbid_external is defined but not enforced when parsing WSDL or XSD documents, allowing transitive xsd:import, xsd:include, wsdl:import, and lxml entity or DTD references to fetch attacker-chosen HTTP or HTTPS URLs. This issue is fixed in version 4.3.3.
| CWE | CWE-918 |
| Vendor | mvantellingen |
| Product | python-zeep |
| Published | Jul 8, 2026 |
| Last Updated | Jul 9, 2026 |
Stay Ahead of the Next One
Get instant alerts for mvantellingen python-zeep
Be the first to know when new medium vulnerabilities affecting mvantellingen python-zeep are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Affected Versions
mvantellingen / python-zeep
>= 4.0.0, < 4.3.3