High severity7.5NVD Advisory· Published Apr 24, 2026· Updated Apr 27, 2026
CVE-2026-41066
CVE-2026-41066
Description
lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files. Setting the resolve_entities option explicitly to resolve_entities='internal' or resolve_entities=False disables the local file access. This vulnerability is fixed in 6.1.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
lxmlPyPI | < 6.1.0 | 6.1.0 |
Affected products
26- osv-coords25 versionspkg:apk/chainguard/airflow-3pkg:apk/chainguard/authentik-2025.12pkg:apk/chainguard/authentik-fips-2025.12pkg:apk/chainguard/datadog-agent-7.76-core-integrationspkg:apk/chainguard/datadog-agent-7.77-core-integrationspkg:apk/chainguard/datadog-agent-fips-7.73-core-integrationspkg:apk/chainguard/datadog-agent-fips-7.74-core-integrationspkg:apk/chainguard/datadog-agent-fips-7.76-core-integrationspkg:apk/chainguard/datadog-agent-fips-7.77-core-integrationspkg:apk/chainguard/datahub-ingestionpkg:apk/chainguard/datahub-ingestion-fipspkg:apk/chainguard/kubeflow-pipelines-visualization-serverpkg:apk/chainguard/label-studiopkg:apk/chainguard/nemopkg:apk/chainguard/open-webuipkg:apk/chainguard/synapsepkg:apk/wolfi/airflow-3pkg:apk/wolfi/datadog-agent-7.76-core-integrationspkg:apk/wolfi/datadog-agent-7.77-core-integrationspkg:apk/wolfi/kubeflow-pipelines-visualization-serverpkg:apk/wolfi/open-webuipkg:pypi/lxmlpkg:rpm/opensuse/python-lxml&distro=openSUSE%20Tumbleweedpkg:rpm/suse/python-lxml&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/python-lxml&distro=SUSE%20Linux%20Enterprise%20Micro%205.4
< 3.2.1-r1+ 24 more
- (no CPE)range: < 3.2.1-r1
- (no CPE)range: < 2025.12.4-r5
- (no CPE)range: < 2025.12.4-r4
- (no CPE)range: < 7.76.3-r15
- (no CPE)range: < 7.77.3-r6
- (no CPE)range: < 7.73.3-r10
- (no CPE)range: < 7.74.1-r9
- (no CPE)range: < 7.76.3-r13
- (no CPE)range: < 7.77.3-r2
- (no CPE)range: < 1.5.0.6-r0
- (no CPE)range: < 1.5.0.4-r0
- (no CPE)range: < 2.16.0-r5
- (no CPE)range: < 1.23.0-r4
- (no CPE)range: < 2.7.2-r2
- (no CPE)range: < 0.8.12-r3
- (no CPE)range: < 1.151.0-r3
- (no CPE)range: < 3.2.1-r1
- (no CPE)range: < 7.76.3-r15
- (no CPE)range: < 7.77.3-r6
- (no CPE)range: < 2.16.0-r5
- (no CPE)range: < 0.8.12-r3
- (no CPE)range: < 6.1.0
- (no CPE)range: < 6.1.0-1.1
- (no CPE)range: < 4.7.1-150200.3.15.1
- (no CPE)range: < 4.7.1-150200.3.15.1
Patches
Vulnerability mechanics
References
6- bugs.launchpad.net/lxml/+bug/2146291nvdExploitIssue TrackingThird Party AdvisoryWEB
- github.com/advisories/GHSA-vfmq-68hx-4jfwghsaADVISORY
- github.com/lxml/lxml/security/advisories/GHSA-vfmq-68hx-4jfwnvdMitigationVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-41066ghsaADVISORY
- github.com/lxml/lxml/releases/tag/lxml-6.1.0ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/lxml/PYSEC-2026-87.yamlghsaWEB
News mentions
0No linked articles in our index yet.