lxml: Default configuration of iterparse() and ETCompatXMLParser() allows XXE to local files

Description

lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files. Setting the resolve_entities option explicitly to resolve_entities='internal' or resolve_entities=False disables the local file access. This vulnerability is fixed in 6.1.0.

Affected Products

Vendor	Product	Versions
lxml	lxml	pip/lxml: < 6.1.0

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
open source	lxml	cert_advisory	90%

References

https://github.com/lxml/lxml/security/advisories/GHSA-vfmq-68hx-4jfw(x_refsource_CONFIRM)
https://bugs.launchpad.net/lxml/+bug/2146291(x_refsource_MISC)

Related News (4 articles)

Tier B

CERT-FR20h ago

Multiples vulnérabilités dans les produits VMware (11 mai 2026)

→ No new info (linked only)

Tier A

Microsoft MSRC15d ago

CVE-2026-41066 lxml: Default configuration of iterparse() and ETCompatXMLParser() allows XXE to local files

→ No new info (linked only)

Tier C

VulDB17d ago

CVE-2026-41066 | lxml up to 6.0.x xml external entity reference (GHSA-vfmq-68hx-4jfw)

→ No new info (linked only)

Tier B

BSI Advisories19d ago

[NEU] [mittel] lxml: Schwachstelle ermöglicht Offenlegung von Informationen

CVSS 3.17.5 HIGH

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

lxml@6.1.0

CWECWE-611

PublishedApr 21, 2026

Last enriched17d agov2

lxml: Default configuration of iterparse() and ETCompatXMLParser() allows XXE to local files

Description

Affected Products

Also Affects

References

Related News (4 articles)

Community Vote

Pin to Dashboard

Verification

Vulnerability Timeline

Version History