lxml <6.1.0 XML Parser: LFR via resolve_entities=True
CVE-2026-41066 Published on April 24, 2026

lxml: Default configuration of iterparse() and ETCompatXMLParser() allows XXE to local files
lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files. Setting the resolve_entities option explicitly to resolve_entities='internal' or resolve_entities=False disables the local file access. This vulnerability is fixed in 6.1.0.

NVD

Vulnerability Analysis

CVE-2026-41066 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
NONE
Availability Impact:
NONE

Weakness Type

What is a XXE Vulnerability?

The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

CVE-2026-41066 has been classified to as a XXE vulnerability or weakness.


Products Associated with CVE-2026-41066

Want to know whenever a new CVE is published for Lxml? stack.watch will email you.

Lxml
 

Affected Versions

lxml Version < 6.1.0 is affected by CVE-2026-41066