VYPR

Lxml

by Lxml

pypi: lxml

Source repositories

CVEs (6)

  • CVE-2026-41066HigApr 24, 2026
    risk 0.42cvss 7.5epss 0.00

    lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files. Setting the resolve_entities option explicitly to…

  • CVE-2014-3146MedMay 14, 2014
    risk 0.36cvss 6.1epss 0.06

    Incomplete blacklist vulnerability in the lxml.html.clean module in lxml before 3.3.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via control characters in the link scheme to the clean_html function.

  • CVE-2024-37388Jun 7, 2024
    risk 0.00cvss epss 0.01

    An XML External Entity (XXE) vulnerability in the ebookmeta.get_metadata function of lxml before v4.9.1 allows attackers to access sensitive information or cause a Denial of Service (DoS) via crafted XML input.

  • CVE-2022-2309Jul 5, 2022
    risk 0.00cvss epss 0.02

    NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data,…

  • CVE-2021-43818Dec 13, 2021
    risk 0.00cvss epss 0.02

    lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a…

  • CVE-2020-27783Dec 3, 2020
    risk 0.00cvss epss 0.04

    A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code.