Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/8215?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/8215?format=api", "purl": "pkg:pypi/lxml@2.2.1", "type": "pypi", "namespace": "", "name": "lxml", "version": "2.2.1", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "6.1.0", "latest_non_vulnerable_version": "6.1.0", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37301?format=api", "vulnerability_id": "VCID-1dyf-bxvq-u3bx", "summary": "lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files. Setting the resolve_entities option explicitly to resolve_entities='internal' or resolve_entities=False disables the local file access. This vulnerability is fixed in 6.1.0.", "references": [ { "reference_url": "https://bugs.launchpad.net/lxml/+bug/2146291", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://bugs.launchpad.net/lxml/+bug/2146291" }, { "reference_url": "https://github.com/lxml/lxml/security/advisories/GHSA-vfmq-68hx-4jfw", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://github.com/lxml/lxml/security/advisories/GHSA-vfmq-68hx-4jfw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/49662?format=api", "purl": "pkg:pypi/lxml@6.1.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/lxml@6.1.0" } ], "aliases": [ "CVE-2026-41066", "GHSA-vfmq-68hx-4jfw", "PYSEC-2026-87" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1dyf-bxvq-u3bx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35683?format=api", "vulnerability_id": "VCID-2q4w-15rf-ykb3", "summary": "A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code.", "references": [ { "reference_url": "https://advisory.checkmarx.net/advisory/CX-2020-4286", "reference_id": "", "reference_type": "", "scores": [], "url": "https://advisory.checkmarx.net/advisory/CX-2020-4286" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=1901633", "reference_id": "", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1901633" }, { "reference_url": "https://github.com/advisories/GHSA-pgww-xf46-h92r", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-pgww-xf46-h92r" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00028.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00028.html" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JKG67GPGTV23KADT4D4GK4RMHSO4CIQL/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JKG67GPGTV23KADT4D4GK4RMHSO4CIQL/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TMHVKRUT22LVWNL3TB7HPSDHJT74Q3JK/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TMHVKRUT22LVWNL3TB7HPSDHJT74Q3JK/" }, { "reference_url": "https://www.debian.org/security/2020/dsa-4810", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.debian.org/security/2020/dsa-4810" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/19173?format=api", "purl": "pkg:pypi/lxml@4.6.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1dyf-bxvq-u3bx" }, { "vulnerability": "VCID-47q5-tf6f-3kas" }, { "vulnerability": "VCID-544b-t8ef-sqd3" }, { "vulnerability": "VCID-y6ed-mwdn-8bcv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/lxml@4.6.2" } ], "aliases": [ "CVE-2020-27783", "GHSA-pgww-xf46-h92r", "PYSEC-2020-62" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2q4w-15rf-ykb3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/6959?format=api", "vulnerability_id": "VCID-47q5-tf6f-3kas", "summary": "cross-site scripting", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43818", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43818" }, { "reference_url": "https://github.com/lxml/lxml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/lxml/lxml" }, { "reference_url": "https://github.com/lxml/lxml/commit/12fa9669007180a7bb87d990c375cf91ca5b664a", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/lxml/lxml/commit/12fa9669007180a7bb87d990c375cf91ca5b664a" }, { "reference_url": "https://github.com/lxml/lxml/commit/a3eacbc0dcf1de1c822ec29fb7d090a4b1712a9c#diff-59130575b4fb2932c957db2922977d7d89afb0b2085357db1a14615a2fcad776", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/lxml/lxml/commit/a3eacbc0dcf1de1c822ec29fb7d090a4b1712a9c#diff-59130575b4fb2932c957db2922977d7d89afb0b2085357db1a14615a2fcad776" }, { "reference_url": "https://github.com/lxml/lxml/commit/f2330237440df7e8f39c3ad1b1aa8852be3b27c0", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/lxml/lxml/commit/f2330237440df7e8f39c3ad1b1aa8852be3b27c0" }, { "reference_url": "https://github.com/lxml/lxml/security/advisories/GHSA-55x5-fj6c-h6m8", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/lxml/lxml/security/advisories/GHSA-55x5-fj6c-h6m8" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/lxml/PYSEC-2021-852.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/lxml/PYSEC-2021-852.yaml" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00037.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00037.html" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUIS2KE3HZ2AAQKXFLTJFZPP2IFHJTC7", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUIS2KE3HZ2AAQKXFLTJFZPP2IFHJTC7" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V2XMOM5PFT6U5AAXY6EFNT5JZCKKHK2V", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V2XMOM5PFT6U5AAXY6EFNT5JZCKKHK2V" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZGNET2A4WGLSUXLBFYKNC5PXHQMI3I7", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZGNET2A4WGLSUXLBFYKNC5PXHQMI3I7" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQ4SPKJX3RRJK4UWA6FXCRHD2TVRQI44", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQ4SPKJX3RRJK4UWA6FXCRHD2TVRQI44" }, { "reference_url": "https://security.gentoo.org/glsa/202208-06", "reference_id": "", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202208-06" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20220107-0005", "reference_id": "", "reference_type": "", "scores": [], "url": "https://security.netapp.com/advisory/ntap-20220107-0005" }, { "reference_url": "https://www.debian.org/security/2022/dsa-5043", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.debian.org/security/2022/dsa-5043" }, { "reference_url": "https://www.oracle.com/security-alerts/cpuapr2022.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "reference_url": "https://www.oracle.com/security-alerts/cpujul2022.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "reference_url": "https://security.archlinux.org/AVG-2629", "reference_id": "AVG-2629", "reference_type": "", "scores": [ { "value": "Medium", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2629" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43818", "reference_id": "CVE-2021-43818", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43818" }, { "reference_url": "https://github.com/advisories/GHSA-55x5-fj6c-h6m8", "reference_id": "GHSA-55x5-fj6c-h6m8", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-55x5-fj6c-h6m8" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/25665?format=api", "purl": "pkg:pypi/lxml@4.6.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1dyf-bxvq-u3bx" }, { "vulnerability": "VCID-y6ed-mwdn-8bcv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/lxml@4.6.5" } ], "aliases": [ "CVE-2021-43818", "GHSA-55x5-fj6c-h6m8", "PYSEC-2021-852" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-47q5-tf6f-3kas" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35757?format=api", "vulnerability_id": "VCID-544b-t8ef-sqd3", "summary": "An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.", "references": [ { "reference_url": "https://bugs.launchpad.net/lxml/+bug/1888153", "reference_id": "", "reference_type": "", "scores": [], "url": "https://bugs.launchpad.net/lxml/+bug/1888153" }, { "reference_url": "https://github.com/advisories/GHSA-jq4v-f5q6-mjqq", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-jq4v-f5q6-mjqq" }, { "reference_url": "https://github.com/lxml/lxml/commit/a5f9cb52079dc57477c460dbe6ba0f775e14a999", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/lxml/lxml/commit/a5f9cb52079dc57477c460dbe6ba0f775e14a999" }, { "reference_url": "https://github.com/lxml/lxml/pull/316/commits/10ec1b4e9f93713513a3264ed6158af22492f270", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/lxml/lxml/pull/316/commits/10ec1b4e9f93713513a3264ed6158af22492f270" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00031.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00031.html" }, { "reference_url": "https://www.debian.org/security/2021/dsa-4880", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.debian.org/security/2021/dsa-4880" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/20374?format=api", "purl": "pkg:pypi/lxml@4.6.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1dyf-bxvq-u3bx" }, { "vulnerability": "VCID-47q5-tf6f-3kas" }, { "vulnerability": "VCID-y6ed-mwdn-8bcv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/lxml@4.6.3" } ], "aliases": [ "CVE-2021-28957", "GHSA-jq4v-f5q6-mjqq", "PYSEC-2021-19" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-544b-t8ef-sqd3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/34877?format=api", "vulnerability_id": "VCID-mk2g-j5sp-ckfv", "summary": "Incomplete blacklist vulnerability in the lxml.html.clean module in lxml before 3.3.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via control characters in the link scheme to the clean_html function.", "references": [ { "reference_url": "http://advisories.mageia.org/MGASA-2014-0218.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://advisories.mageia.org/MGASA-2014-0218.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-updates/2014-05/msg00083.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-updates/2014-05/msg00083.html" }, { "reference_url": "http://lxml.de/3.3/changes-3.3.5.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lxml.de/3.3/changes-3.3.5.html" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3146", "reference_id": "", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3146" }, { "reference_url": "http://seclists.org/fulldisclosure/2014/Apr/210", "reference_id": "", "reference_type": "", "scores": [], "url": "http://seclists.org/fulldisclosure/2014/Apr/210" }, { "reference_url": "http://seclists.org/fulldisclosure/2014/Apr/319", "reference_id": "", "reference_type": "", "scores": [], "url": "http://seclists.org/fulldisclosure/2014/Apr/319" }, { "reference_url": "http://secunia.com/advisories/58013", "reference_id": "", "reference_type": "", "scores": [], "url": "http://secunia.com/advisories/58013" }, { "reference_url": "http://secunia.com/advisories/58744", "reference_id": "", "reference_type": "", "scores": [], "url": "http://secunia.com/advisories/58744" }, { "reference_url": "http://secunia.com/advisories/59008", "reference_id": "", "reference_type": "", "scores": [], "url": "http://secunia.com/advisories/59008" }, { "reference_url": "https://github.com/lxml/lxml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/lxml/lxml" }, { "reference_url": "https://github.com/lxml/lxml/commit/3f3082e0a67851cde26a48da3d1f4b75d8aa07ec", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/lxml/lxml/commit/3f3082e0a67851cde26a48da3d1f4b75d8aa07ec" }, { "reference_url": "https://github.com/lxml/lxml/commit/86e81ab393ba14c1be71284675851a3bdce57d69", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/lxml/lxml/commit/86e81ab393ba14c1be71284675851a3bdce57d69" }, { "reference_url": "https://github.com/lxml/lxml/commit/e86b294f1f81b899a59925123560ff924a72f1cc", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/lxml/lxml/commit/e86b294f1f81b899a59925123560ff924a72f1cc" }, { "reference_url": "https://github.com/lxml/lxml/pull/273", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/lxml/lxml/pull/273" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/lxml/PYSEC-2014-9.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/lxml/PYSEC-2014-9.yaml" }, { "reference_url": "https://mailman-mail5.webfaction.com/pipermail/lxml/2014-April/007128.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://mailman-mail5.webfaction.com/pipermail/lxml/2014-April/007128.html" }, { "reference_url": "https://mailman-mail5.webfaction.com/pipermail/lxml/2014-April/007129.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://mailman-mail5.webfaction.com/pipermail/lxml/2014-April/007129.html" }, { "reference_url": "https://web.archive.org/web/20140724172044/http://secunia.com/advisories/58013", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20140724172044/http://secunia.com/advisories/58013" }, { "reference_url": "https://web.archive.org/web/20140805110535/http://secunia.com/advisories/59008", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20140805110535/http://secunia.com/advisories/59008" }, { "reference_url": "https://web.archive.org/web/20140806061046/http://secunia.com/advisories/58744", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20140806061046/http://secunia.com/advisories/58744" }, { "reference_url": "https://web.archive.org/web/20141017122607/https://mailman-mail5.webfaction.com/pipermail/lxml/2014-April/007128.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20141017122607/https://mailman-mail5.webfaction.com/pipermail/lxml/2014-April/007128.html" }, { "reference_url": "https://web.archive.org/web/20150523055039/http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2015:112/?name=MDVSA-2015:112", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20150523055039/http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2015:112/?name=MDVSA-2015:112" }, { "reference_url": "https://web.archive.org/web/20200228180542/http://www.securityfocus.com/bid/67159", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20200228180542/http://www.securityfocus.com/bid/67159" }, { "reference_url": "http://www.debian.org/security/2014/dsa-2941", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.debian.org/security/2014/dsa-2941" }, { "reference_url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:112", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:112" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2014/05/09/7", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2014/05/09/7" }, { "reference_url": "http://www.securityfocus.com/bid/67159", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securityfocus.com/bid/67159" }, { "reference_url": "http://www.ubuntu.com/usn/USN-2217-1", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.ubuntu.com/usn/USN-2217-1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3146", "reference_id": "CVE-2014-3146", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3146" }, { "reference_url": "https://github.com/advisories/GHSA-57qw-cc2g-pv5p", "reference_id": "GHSA-57qw-cc2g-pv5p", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-57qw-cc2g-pv5p" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/8256?format=api", "purl": "pkg:pypi/lxml@3.3.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1dyf-bxvq-u3bx" }, { "vulnerability": "VCID-2q4w-15rf-ykb3" }, { "vulnerability": "VCID-47q5-tf6f-3kas" }, { "vulnerability": "VCID-544b-t8ef-sqd3" }, { "vulnerability": "VCID-y6ed-mwdn-8bcv" }, { "vulnerability": "VCID-yfjf-efxa-x3az" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/lxml@3.3.5" } ], "aliases": [ "CVE-2014-3146", "GHSA-57qw-cc2g-pv5p", "PYSEC-2014-9" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mk2g-j5sp-ckfv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36136?format=api", "vulnerability_id": "VCID-y6ed-mwdn-8bcv", "summary": "NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered.", "references": [ { "reference_url": "https://github.com/advisories/GHSA-wrxv-2j5q-m38w", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-wrxv-2j5q-m38w" }, { "reference_url": "https://github.com/lxml/lxml/commit/86368e9cf70a0ad23cccd5ee32de847149af0c6f", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/lxml/lxml/commit/86368e9cf70a0ad23cccd5ee32de847149af0c6f" }, { "reference_url": "https://huntr.dev/bounties/8264e74f-edda-4c40-9956-49de635105ba", "reference_id": "", "reference_type": "", "scores": [], "url": "https://huntr.dev/bounties/8264e74f-edda-4c40-9956-49de635105ba" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/28250?format=api", "purl": "pkg:pypi/lxml@4.9.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1dyf-bxvq-u3bx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/lxml@4.9.1" } ], "aliases": [ "CVE-2022-2309", "GHSA-wrxv-2j5q-m38w", "PYSEC-2022-230" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-y6ed-mwdn-8bcv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35291?format=api", "vulnerability_id": "VCID-yfjf-efxa-x3az", "summary": "An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by \"j a v a s c r i p t:\" in Internet Explorer. This is a similar issue to CVE-2014-3146.", "references": [ { "reference_url": "https://github.com/advisories/GHSA-xp26-p53h-6h2p", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-xp26-p53h-6h2p" }, { "reference_url": "https://github.com/lxml/lxml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/lxml/lxml" }, { "reference_url": "https://github.com/lxml/lxml/commit/6be1d081b49c97cfd7b3fbd934a193b668629109", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/lxml/lxml/commit/6be1d081b49c97cfd7b3fbd934a193b668629109" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/lxml/PYSEC-2018-12.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/lxml/PYSEC-2018-12.yaml" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2018/12/msg00001.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.debian.org/debian-lts-announce/2018/12/msg00001.html" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2020/11/msg00044.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.debian.org/debian-lts-announce/2020/11/msg00044.html" }, { "reference_url": "https://usn.ubuntu.com/3841-1", "reference_id": "", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/3841-1" }, { "reference_url": "https://usn.ubuntu.com/3841-1/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/3841-1/" }, { "reference_url": "https://usn.ubuntu.com/3841-2", "reference_id": "", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/3841-2" }, { "reference_url": "https://usn.ubuntu.com/3841-2/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/3841-2/" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19787", "reference_id": "CVE-2018-19787", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19787" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/12561?format=api", "purl": "pkg:pypi/lxml@4.2.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1dyf-bxvq-u3bx" }, { "vulnerability": "VCID-2q4w-15rf-ykb3" }, { "vulnerability": "VCID-47q5-tf6f-3kas" }, { "vulnerability": "VCID-544b-t8ef-sqd3" }, { "vulnerability": "VCID-y6ed-mwdn-8bcv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/lxml@4.2.5" } ], "aliases": [ "CVE-2018-19787", "GHSA-xp26-p53h-6h2p", "PYSEC-2018-12" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-yfjf-efxa-x3az" } ], "fixing_vulnerabilities": [], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/lxml@2.2.1" }