VYPR
← All advisories
High severity8.8NVD Advisory· Published Dec 21, 2016· Updated May 6, 2026

CVE-2016-5851

CVE-2016-5851

Description

python-docx before 0.8.6 allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted document.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
python-docxPyPI
< 0.8.60.8.6

Patches

1
61b40b161b64

oxml: don't resolve XML entities in oxml_parser

https://github.com/python-openxml/python-docxSteve CannyApr 10, 2016via ghsa
commit
2 files changed · +2 2
  • docx/opc/oxml.py+1 1 modified
    @@ -16,7 +16,7 @@
 
 # configure XML parser
 element_class_lookup = etree.ElementNamespaceClassLookup()
-oxml_parser = etree.XMLParser(remove_blank_text=True)
+oxml_parser = etree.XMLParser(remove_blank_text=True, resolve_entities=False)
 oxml_parser.set_element_class_lookup(element_class_lookup)
 
 nsmap = {
  • docx/oxml/__init__.py+1 1 modified
    @@ -14,7 +14,7 @@
 
 # configure XML parser
 element_class_lookup = etree.ElementNamespaceClassLookup()
-oxml_parser = etree.XMLParser(remove_blank_text=True)
+oxml_parser = etree.XMLParser(remove_blank_text=True, resolve_entities=False)
 oxml_parser.set_element_class_lookup(element_class_lookup)

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

15

News mentions

0

No linked articles in our index yet.