cvedb.io
CVE-2026-41066
HIGH · CVSS 7.5
EPSS exploitation probability: 0%
Published 2026-04-24T17:16:20.933 · Last modified 2026-06-17T10:46:06.993

Summary

lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files. Setting the resolve_entities option explicitly to resolve_entities='internal' or resolve_entities=False disables the local file access. This vulnerability is fixed in 6.1.0.

Affected products

lxml — lxml

Does this affect you?

Add your gear to cvedb and we'll alert you only when lxml ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.