{"id":"PYSEC-2026-87","details":"lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files. Setting the resolve_entities option explicitly to resolve_entities='internal' or resolve_entities=False disables the local file access. This vulnerability is fixed in 6.1.0.","aliases":["CVE-2026-41066","GHSA-vfmq-68hx-4jfw"],"modified":"2026-05-20T09:19:06.179641Z","published":"2026-04-24T17:16:20.933Z","references":[{"type":"ADVISORY","url":"https://github.com/lxml/lxml/security/advisories/GHSA-vfmq-68hx-4jfw"},{"type":"REPORT","url":"https://bugs.launchpad.net/lxml/+bug/2146291"}],"affected":[{"package":{"name":"lxml","ecosystem":"PyPI","purl":"pkg:pypi/lxml"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.1.0"}]}],"versions":["1.3.2","1.3.3","1.3.4","1.3.5","1.3.6","2.0","2.0.10","2.0.11","2.0.4","2.0.5","2.0.6","2.0.7","2.0.8","2.0.9","2.1","2.1.1","2.1.2","2.1.3","2.1.4","2.1.5","2.2","2.2.1","2.2.2","2.2.3","2.2.4","2.2.5","2.2.6","2.2.7","2.2.8","2.3","2.3.1","2.3.2","2.3.3","2.3.4","2.3.5","2.3.6","3.0","3.0.2","3.1.0","3.1.1","3.1.2","3.2.0","3.2.1","3.2.2","3.2.3","3.2.4","3.2.5","3.3.0","3.3.1","3.3.2","3.3.3","3.3.4","3.3.5","3.3.6","3.4.0","3.4.1","3.4.2","3.4.3","3.4.4","3.5.0","3.6.0","3.6.1","3.6.2","3.6.3","3.6.4","3.7.0","3.7.1","3.7.2","3.7.3","3.8.0","4.0.0","4.1.0","4.1.1","4.2.0","4.2.1","4.2.2","4.2.3","4.2.4","4.2.5","4.2.6","4.3.0","4.3.2","4.3.3","4.3.4","4.3.5","4.4.0","4.4.1","4.4.2","4.4.3","4.5.0","4.5.1","4.5.2","4.6.0","4.6.1","4.6.2","4.6.3","4.6.4","4.6.5","4.7.1","4.8.0","4.9.0","4.9.1","4.9.2","4.9.3","4.9.4","5.0.0","5.0.1","5.0.2","5.1.0","5.1.1","5.2.0","5.2.1","5.2.2","5.3.0","5.3.1","5.3.2","5.4.0","6.0.0","6.0.1","6.0.2","6.0.3","6.0.4"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/lxml/PYSEC-2026-87.yaml"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}