CVE-2026-41066

HIGH

lxml <6.1.0 - Info Disclosure

Title source: llm

Description

lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files. Setting the resolve_entities option explicitly to resolve_entities='internal' or resolve_entities=False disables the local file access. This vulnerability is fixed in 6.1.0.

References (2)

[Issue Tracking] https://bugs.launchpad.net/lxml/+bug/2146291

[Vendor Advisory] https://github.com/lxml/lxml/security/advisories/GHSA-vfmq-68hx-4jfw

Scores

CVSS v3 7.5

EPSS 0.0004

EPSS Percentile 12.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-611

Status published

Products (1)

lxml/lxml < 6.1.0

Published Apr 24, 2026

Tracked Since Apr 26, 2026