Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN409
_____________________________________________________________________

DATE                : 22/04/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running lxml (pip) versions prior to
                                         6.1.0.

=====================================================================
https://github.com/lxml/lxml/security/advisories/GHSA-vfmq-68hx-4jfw
_____________________________________________________________________


Default configuration of iterparse() and ETCompatXMLParser() allows
XXE to local files
High
scoder published GHSA-vfmq-68hx-4jfw Apr 18, 2026

Package
lxml (pip)

Affected versions
< 6.1

Patched versions
6.1.0


Description


Impact

Using either of the two parsers in the default configuration (with
resolve_entities=True) allows untrusted XML input to read local
files.


Patches

lxml 6.1 changes the default to resolve_entities='internal', thus
disallowing local file access by default.


Workarounds

Setting the resolve_entities option explicitly to
resolve_entities='internal' or resolve_entities=False disables
the local file access.


References

Original report: https://bugs.launchpad.net/lxml/+bug/2146291

The default option was changed to resolve_entities='internal'
for the normal XML and HTML parsers in lxml 5.0. The default
was not changed for iterparse() and ETCompatXMLParser() at
the time. lxml 6.1 makes the safe option the default for
all parsers.


Severity
High
7.5/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE ID
CVE-2026-41066

Weaknesses
Weakness CWE-611

Credits

    @Brubbish Brubbish Reporter


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================