CVE-2026-41066 — XML External Entity (XXE) Injection in Lxml

CWE-611 — XML External Entity (XXE) Injection5 documents5 sources

Severity

7.5HIGHNVD

EPSS

0.0%

top 91.12%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Lxml Ansible-automation-platform-25 Ee-supported-rhel8 Ansible-automation-platform-26 Controller-rhel9 +14 more

Timeline

PublishedApr 24

Description

lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files. Setting the resolve_entities option explicitly to resolve_entities='internal' or resolve_entities=False disables the local file access. This vulnerability is fixed in 6.1.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages18 packages

▶Red Hatsatellite_el8/python-lxml

▶CVEListV5lxml/lxml< 6.1.0

▶PyPIlxml/lxml< 6.1.0

▶Red Hatjqlang/jq

▶Red Hatquay/quay-rhel8

🔴Vulnerability Details

VulDB

lxml up to 6.0.x xml external entity reference (GHSA-vfmq-68hx-4jfw)↗2026-04-24

▶

GHSA

lxml: Default configuration of iterparse() and ETCompatXMLParser() allows XXE to local files↗2026-04-21

▶

📋Vendor Advisories

Red Hat

lxml: python: lxml: Information disclosure via untrusted XML input leading to local file read↗2026-04-24

▶

💬Community

Bugzilla

CVE-2026-41066 lxml: python: lxml: Information disclosure via untrusted XML input leading to local file read↗2026-04-24

▶