CVE-2026-41066 — lxml: Default configuration of iterparse() and ETCompatXMLParser() allows XXE to

Description

lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files. Setting the resolve_entities option explicitly to resolve_entities='internal' or resolve_entities=False disables the local file access. This vulnerability is fixed in 6.1.0.

How to fix CVE-2026-41066

To remediate CVE-2026-41066, upgrade the affected package to a fixed version below.

—upgrade to 6.1.0-r0 or later
—no fix listed
—upgrade to 6.1.0 or later
—upgrade to 6.1.0 or later

Is CVE-2026-41066 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

from 0, < 6.1.0-r0
from 0
from 0, < 6.1.0
from 0, < 6.1.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-41066
ADVISORYsecurity.alpinelinux.org/vuln/CVE-2026-41066
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2026-41066
PATCHgithub.com/lxml/lxml
WEBbugs.launchpad.net