Back to list

lxml: Default configuration of iterparse() and ETCompatXMLParser() allows XXE to local files — CVE-2026-41066

GitHub · GitHub · CVE-2026-41066

ID
CVE-2026-41066
Date
Updated
Activity
Source
GitHub
Vendor
GitHub
Threat
high
CVSS
7.5
EPSS
0.0006

Summary

### Impact Using either of the two parsers in the default configuration (with `resolve_entities=True`) allows untrusted XML input to read local files. ### Patches lxml 6.1.0 changes the default to `resolve_entities='internal'`, thus disallowing local file access by default. ### Workarounds Setting the `resolve_entities` option explicitly to `resolve_entities='internal'` or `resolve_entities=False` disables the…

Product

pip: lxml

What to do

General, cautious steps (verify details in the official source):

  • Prioritize patching or mitigation immediately (treat as actively risky).
  • Identify affected product versions in your inventory and verify whether you are impacted.
  • Apply vendor patches/updates or recommended mitigations as soon as available.
  • Read the official advisory for exact affected versions and remediation steps.

Official advisory

Related advisories

GitHub GitHub 2026-W23