XML and HTML Processing Library Vulnerability in lxml by the Vendor lxml
CVE-2026-41066

7.5HIGH

Key Information:

Vendor: Lxml
Status: Lxml
Vendor: CVE Published:; 24 April 2026

What is CVE-2026-41066?

The lxml library, widely used for processing XML and HTML in Python, has a vulnerability in versions prior to 6.1.0. When the default configuration is set with resolve_entities=True, it enables untrusted XML inputs to read local files, posing a significant security risk. To mitigate this vulnerability, users are advised to configure the resolve_entities option to either internal or False. The issue has been addressed in version 6.1.0. For further details, refer to the security advisories and bug reports provided.

Affected Version(s)

lxml < 6.1.0

References

https://github.com/lxml/lxml/security/advisories/GHSA-vfm...

x_refsource_CONFIRM

https://bugs.launchpad.net/lxml/+bug/2146291

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 24, 2026
Vulnerability Reserved
Apr 16, 2026

CVE-2026-41066 Data

JSON

Lxml

What is CVE-2026-41066?

Affected Version(s)

References

CVSS V3.1

Timeline