Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/354107?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/354107?format=api", "vulnerability_id": "VCID-jp88-wzxq-vyfn", "summary": "lxml: Default configuration of iterparse() and ETCompatXMLParser() allows XXE to local files\n### Impact\nUsing either of the two parsers in the default configuration (with `resolve_entities=True`) allows untrusted XML input to read local files.\n\n### Patches\nlxml 6.1.0 changes the default to `resolve_entities='internal'`, thus disallowing local file access by default.\n\n### Workarounds\nSetting the `resolve_entities` option explicitly to `resolve_entities='internal'` or `resolve_entities=False` disables the local file access.\n\n### Resources\nOriginal report: https://bugs.launchpad.net/lxml/+bug/2146291\n\nThe default option was changed to `resolve_entities='internal'` for the normal XML and HTML parsers in lxml 5.0. The default was not changed for `iterparse()` and `ETCompatXMLParser()` at the time. lxml 6.1 makes the safe option the default for all parsers.", "aliases": [ { "alias": "CVE-2026-41066" }, { "alias": "GHSA-vfmq-68hx-4jfw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1077792?format=api", "purl": "pkg:deb/debian/lxml@6.1.0-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/lxml@6.1.0-1" }, { "url": "http://public2.vulnerablecode.io/api/packages/1076087?format=api", "purl": "pkg:deb/debian/lxml@6.1.0-1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/lxml@6.1.0-1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/1076429?format=api", "purl": "pkg:pypi/lxml@6.1.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/lxml@6.1.0" } ], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/995119?format=api", "purl": "pkg:deb/debian/lxml@4.6.3%2Bdfsg-0.1%2Bdeb11u1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4m3j-qy8c-4uhk" }, { "vulnerability": "VCID-jp88-wzxq-vyfn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/lxml@4.6.3%252Bdfsg-0.1%252Bdeb11u1" }, { "url": "http://public2.vulnerablecode.io/api/packages/930253?format=api", "purl": "pkg:deb/debian/lxml@4.6.3%2Bdfsg-0.1%2Bdeb11u1?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4m3j-qy8c-4uhk" }, { "vulnerability": "VCID-jp88-wzxq-vyfn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/lxml@4.6.3%252Bdfsg-0.1%252Bdeb11u1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/995120?format=api", "purl": "pkg:deb/debian/lxml@4.9.2-1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-jp88-wzxq-vyfn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/lxml@4.9.2-1" }, { "url": "http://public2.vulnerablecode.io/api/packages/930251?format=api", "purl": "pkg:deb/debian/lxml@4.9.2-1?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-jp88-wzxq-vyfn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/lxml@4.9.2-1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/1077790?format=api", "purl": "pkg:deb/debian/lxml@5.4.0-1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-jp88-wzxq-vyfn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/lxml@5.4.0-1" }, { "url": "http://public2.vulnerablecode.io/api/packages/930255?format=api", "purl": "pkg:deb/debian/lxml@5.4.0-1?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-jp88-wzxq-vyfn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/lxml@5.4.0-1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/1077791?format=api", "purl": "pkg:deb/debian/lxml@6.0.2-1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-jp88-wzxq-vyfn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/lxml@6.0.2-1" }, { "url": "http://public2.vulnerablecode.io/api/packages/930254?format=api", "purl": "pkg:deb/debian/lxml@6.0.2-1?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-jp88-wzxq-vyfn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/lxml@6.0.2-1%3Fdistro=trixie" } ], "references": [ { "reference_url": "https://bugs.launchpad.net/lxml/+bug/2146291", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-24T18:03:40Z/" } ], "url": "https://bugs.launchpad.net/lxml/+bug/2146291" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-41066", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-41066" }, { "reference_url": "https://github.com/lxml/lxml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/lxml/lxml" }, { "reference_url": "https://github.com/lxml/lxml/releases/tag/lxml-6.1.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/lxml/lxml/releases/tag/lxml-6.1.0" }, { "reference_url": "https://github.com/lxml/lxml/security/advisories/GHSA-vfmq-68hx-4jfw", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-24T18:03:40Z/" } ], "url": "https://github.com/lxml/lxml/security/advisories/GHSA-vfmq-68hx-4jfw" }, { "reference_url": "https://github.com/advisories/GHSA-vfmq-68hx-4jfw", "reference_id": "GHSA-vfmq-68hx-4jfw", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vfmq-68hx-4jfw" } ], "weaknesses": [ { "cwe_id": 611, "name": "Improper Restriction of XML External Entity Reference", "description": "The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output." } ], "exploits": [], "severity_range_score": "7.0 - 8.9", "exploitability": "0.5", "weighted_severity": "8.0", "risk_score": 4.0, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jp88-wzxq-vyfn" }