Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/lxml@4.2.2
Typepypi
Namespace
Namelxml
Version4.2.2
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version6.1.0
Latest_non_vulnerable_version6.1.0
Affected_by_vulnerabilities
0
url VCID-1dyf-bxvq-u3bx
vulnerability_id VCID-1dyf-bxvq-u3bx
summary lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files. Setting the resolve_entities option explicitly to resolve_entities='internal' or resolve_entities=False disables the local file access. This vulnerability is fixed in 6.1.0.
references
0
reference_url https://bugs.launchpad.net/lxml/+bug/2146291
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://bugs.launchpad.net/lxml/+bug/2146291
1
reference_url https://github.com/lxml/lxml/security/advisories/GHSA-vfmq-68hx-4jfw
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://github.com/lxml/lxml/security/advisories/GHSA-vfmq-68hx-4jfw
fixed_packages
0
url pkg:pypi/lxml@6.1.0
purl pkg:pypi/lxml@6.1.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/lxml@6.1.0
aliases CVE-2026-41066, GHSA-vfmq-68hx-4jfw, PYSEC-2026-87
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1dyf-bxvq-u3bx
1
url VCID-2q4w-15rf-ykb3
vulnerability_id VCID-2q4w-15rf-ykb3
summary A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code.
references
0
reference_url https://advisory.checkmarx.net/advisory/CX-2020-4286
reference_id
reference_type
scores
url https://advisory.checkmarx.net/advisory/CX-2020-4286
1
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1901633
reference_id
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1901633
2
reference_url https://github.com/advisories/GHSA-pgww-xf46-h92r
reference_id
reference_type
scores
url https://github.com/advisories/GHSA-pgww-xf46-h92r
3
reference_url https://lists.debian.org/debian-lts-announce/2020/12/msg00028.html
reference_id
reference_type
scores
url https://lists.debian.org/debian-lts-announce/2020/12/msg00028.html
4
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JKG67GPGTV23KADT4D4GK4RMHSO4CIQL/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JKG67GPGTV23KADT4D4GK4RMHSO4CIQL/
5
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TMHVKRUT22LVWNL3TB7HPSDHJT74Q3JK/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TMHVKRUT22LVWNL3TB7HPSDHJT74Q3JK/
6
reference_url https://www.debian.org/security/2020/dsa-4810
reference_id
reference_type
scores
url https://www.debian.org/security/2020/dsa-4810
fixed_packages
0
url pkg:pypi/lxml@4.6.2
purl pkg:pypi/lxml@4.6.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1dyf-bxvq-u3bx
1
vulnerability VCID-47q5-tf6f-3kas
2
vulnerability VCID-544b-t8ef-sqd3
3
vulnerability VCID-y6ed-mwdn-8bcv
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/lxml@4.6.2
aliases CVE-2020-27783, GHSA-pgww-xf46-h92r, PYSEC-2020-62
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2q4w-15rf-ykb3
2
url VCID-47q5-tf6f-3kas
vulnerability_id VCID-47q5-tf6f-3kas
summary cross-site scripting
references
0
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43818
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43818
1
reference_url https://github.com/lxml/lxml
reference_id
reference_type
scores
url https://github.com/lxml/lxml
2
reference_url https://github.com/lxml/lxml/commit/12fa9669007180a7bb87d990c375cf91ca5b664a
reference_id
reference_type
scores
url https://github.com/lxml/lxml/commit/12fa9669007180a7bb87d990c375cf91ca5b664a
3
reference_url https://github.com/lxml/lxml/commit/a3eacbc0dcf1de1c822ec29fb7d090a4b1712a9c#diff-59130575b4fb2932c957db2922977d7d89afb0b2085357db1a14615a2fcad776
reference_id
reference_type
scores
url https://github.com/lxml/lxml/commit/a3eacbc0dcf1de1c822ec29fb7d090a4b1712a9c#diff-59130575b4fb2932c957db2922977d7d89afb0b2085357db1a14615a2fcad776
4
reference_url https://github.com/lxml/lxml/commit/f2330237440df7e8f39c3ad1b1aa8852be3b27c0
reference_id
reference_type
scores
url https://github.com/lxml/lxml/commit/f2330237440df7e8f39c3ad1b1aa8852be3b27c0
5
reference_url https://github.com/lxml/lxml/security/advisories/GHSA-55x5-fj6c-h6m8
reference_id
reference_type
scores
url https://github.com/lxml/lxml/security/advisories/GHSA-55x5-fj6c-h6m8
6
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/lxml/PYSEC-2021-852.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/lxml/PYSEC-2021-852.yaml
7
reference_url https://lists.debian.org/debian-lts-announce/2021/12/msg00037.html
reference_id
reference_type
scores
url https://lists.debian.org/debian-lts-announce/2021/12/msg00037.html
8
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUIS2KE3HZ2AAQKXFLTJFZPP2IFHJTC7
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUIS2KE3HZ2AAQKXFLTJFZPP2IFHJTC7
9
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V2XMOM5PFT6U5AAXY6EFNT5JZCKKHK2V
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V2XMOM5PFT6U5AAXY6EFNT5JZCKKHK2V
10
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZGNET2A4WGLSUXLBFYKNC5PXHQMI3I7
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZGNET2A4WGLSUXLBFYKNC5PXHQMI3I7
11
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQ4SPKJX3RRJK4UWA6FXCRHD2TVRQI44
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQ4SPKJX3RRJK4UWA6FXCRHD2TVRQI44
12
reference_url https://security.gentoo.org/glsa/202208-06
reference_id
reference_type
scores
url https://security.gentoo.org/glsa/202208-06
13
reference_url https://security.netapp.com/advisory/ntap-20220107-0005
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20220107-0005
14
reference_url https://www.debian.org/security/2022/dsa-5043
reference_id
reference_type
scores
url https://www.debian.org/security/2022/dsa-5043
15
reference_url https://www.oracle.com/security-alerts/cpuapr2022.html
reference_id
reference_type
scores
url https://www.oracle.com/security-alerts/cpuapr2022.html
16
reference_url https://www.oracle.com/security-alerts/cpujul2022.html
reference_id
reference_type
scores
url https://www.oracle.com/security-alerts/cpujul2022.html
17
reference_url https://security.archlinux.org/AVG-2629
reference_id AVG-2629
reference_type
scores
0
value Medium
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-2629
18
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-43818
reference_id CVE-2021-43818
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2021-43818
19
reference_url https://github.com/advisories/GHSA-55x5-fj6c-h6m8
reference_id GHSA-55x5-fj6c-h6m8
reference_type
scores
url https://github.com/advisories/GHSA-55x5-fj6c-h6m8
fixed_packages
0
url pkg:pypi/lxml@4.6.5
purl pkg:pypi/lxml@4.6.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1dyf-bxvq-u3bx
1
vulnerability VCID-y6ed-mwdn-8bcv
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/lxml@4.6.5
aliases CVE-2021-43818, GHSA-55x5-fj6c-h6m8, PYSEC-2021-852
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-47q5-tf6f-3kas
3
url VCID-544b-t8ef-sqd3
vulnerability_id VCID-544b-t8ef-sqd3
summary An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.
references
0
reference_url https://bugs.launchpad.net/lxml/+bug/1888153
reference_id
reference_type
scores
url https://bugs.launchpad.net/lxml/+bug/1888153
1
reference_url https://github.com/advisories/GHSA-jq4v-f5q6-mjqq
reference_id
reference_type
scores
url https://github.com/advisories/GHSA-jq4v-f5q6-mjqq
2
reference_url https://github.com/lxml/lxml/commit/a5f9cb52079dc57477c460dbe6ba0f775e14a999
reference_id
reference_type
scores
url https://github.com/lxml/lxml/commit/a5f9cb52079dc57477c460dbe6ba0f775e14a999
3
reference_url https://github.com/lxml/lxml/pull/316/commits/10ec1b4e9f93713513a3264ed6158af22492f270
reference_id
reference_type
scores
url https://github.com/lxml/lxml/pull/316/commits/10ec1b4e9f93713513a3264ed6158af22492f270
4
reference_url https://lists.debian.org/debian-lts-announce/2021/03/msg00031.html
reference_id
reference_type
scores
url https://lists.debian.org/debian-lts-announce/2021/03/msg00031.html
5
reference_url https://www.debian.org/security/2021/dsa-4880
reference_id
reference_type
scores
url https://www.debian.org/security/2021/dsa-4880
fixed_packages
0
url pkg:pypi/lxml@4.6.3
purl pkg:pypi/lxml@4.6.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1dyf-bxvq-u3bx
1
vulnerability VCID-47q5-tf6f-3kas
2
vulnerability VCID-y6ed-mwdn-8bcv
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/lxml@4.6.3
aliases CVE-2021-28957, GHSA-jq4v-f5q6-mjqq, PYSEC-2021-19
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-544b-t8ef-sqd3
4
url VCID-y6ed-mwdn-8bcv
vulnerability_id VCID-y6ed-mwdn-8bcv
summary NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered.
references
0
reference_url https://github.com/advisories/GHSA-wrxv-2j5q-m38w
reference_id
reference_type
scores
url https://github.com/advisories/GHSA-wrxv-2j5q-m38w
1
reference_url https://github.com/lxml/lxml/commit/86368e9cf70a0ad23cccd5ee32de847149af0c6f
reference_id
reference_type
scores
url https://github.com/lxml/lxml/commit/86368e9cf70a0ad23cccd5ee32de847149af0c6f
2
reference_url https://huntr.dev/bounties/8264e74f-edda-4c40-9956-49de635105ba
reference_id
reference_type
scores
url https://huntr.dev/bounties/8264e74f-edda-4c40-9956-49de635105ba
fixed_packages
0
url pkg:pypi/lxml@4.9.1
purl pkg:pypi/lxml@4.9.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1dyf-bxvq-u3bx
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/lxml@4.9.1
aliases CVE-2022-2309, GHSA-wrxv-2j5q-m38w, PYSEC-2022-230
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-y6ed-mwdn-8bcv
5
url VCID-yfjf-efxa-x3az
vulnerability_id VCID-yfjf-efxa-x3az
summary An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by "j a v a s c r i p t:" in Internet Explorer. This is a similar issue to CVE-2014-3146.
references
0
reference_url https://github.com/advisories/GHSA-xp26-p53h-6h2p
reference_id
reference_type
scores
url https://github.com/advisories/GHSA-xp26-p53h-6h2p
1
reference_url https://github.com/lxml/lxml
reference_id
reference_type
scores
url https://github.com/lxml/lxml
2
reference_url https://github.com/lxml/lxml/commit/6be1d081b49c97cfd7b3fbd934a193b668629109
reference_id
reference_type
scores
url https://github.com/lxml/lxml/commit/6be1d081b49c97cfd7b3fbd934a193b668629109
3
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/lxml/PYSEC-2018-12.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/lxml/PYSEC-2018-12.yaml
4
reference_url https://lists.debian.org/debian-lts-announce/2018/12/msg00001.html
reference_id
reference_type
scores
url https://lists.debian.org/debian-lts-announce/2018/12/msg00001.html
5
reference_url https://lists.debian.org/debian-lts-announce/2020/11/msg00044.html
reference_id
reference_type
scores
url https://lists.debian.org/debian-lts-announce/2020/11/msg00044.html
6
reference_url https://usn.ubuntu.com/3841-1
reference_id
reference_type
scores
url https://usn.ubuntu.com/3841-1
7
reference_url https://usn.ubuntu.com/3841-1/
reference_id
reference_type
scores
url https://usn.ubuntu.com/3841-1/
8
reference_url https://usn.ubuntu.com/3841-2
reference_id
reference_type
scores
url https://usn.ubuntu.com/3841-2
9
reference_url https://usn.ubuntu.com/3841-2/
reference_id
reference_type
scores
url https://usn.ubuntu.com/3841-2/
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2018-19787
reference_id CVE-2018-19787
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2018-19787
fixed_packages
0
url pkg:pypi/lxml@4.2.5
purl pkg:pypi/lxml@4.2.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1dyf-bxvq-u3bx
1
vulnerability VCID-2q4w-15rf-ykb3
2
vulnerability VCID-47q5-tf6f-3kas
3
vulnerability VCID-544b-t8ef-sqd3
4
vulnerability VCID-y6ed-mwdn-8bcv
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/lxml@4.2.5
aliases CVE-2018-19787, GHSA-xp26-p53h-6h2p, PYSEC-2018-12
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-yfjf-efxa-x3az
Fixing_vulnerabilities
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/lxml@4.2.2