VulnerableCode Package Details - pkg:deb/debian/lxml@6.1.0-1

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:deb/debian/lxml@6.1.0-1

Essentials
History (1)

purl	pkg:deb/debian/lxml@6.1.0-1

Vulnerabilities affecting this package (0)

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerabilities fixed by this package (1)

Vulnerability	Summary	Aliases
VCID-jp88-wzxq-vyfn	lxml: Default configuration of iterparse() and ETCompatXMLParser() allows XXE to local files ### Impact Using either of the two parsers in the default configuration (with `resolve_entities=True`) allows untrusted XML input to read local files. ### Patches lxml 6.1.0 changes the default to `resolve_entities='internal'`, thus disallowing local file access by default. ### Workarounds Setting the `resolve_entities` option explicitly to `resolve_entities='internal'` or `resolve_entities=False` disables the local file access. ### Resources Original report: https://bugs.launchpad.net/lxml/+bug/2146291 The default option was changed to `resolve_entities='internal'` for the normal XML and HTML parsers in lxml 5.0. The default was not changed for `iterparse()` and `ETCompatXMLParser()` at the time. lxml 6.1 makes the safe option the default for all parsers.	CVE-2026-41066 GHSA-vfmq-68hx-4jfw

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-26T23:40:11.025645+00:00	Debian Importer	Fixing	VCID-jp88-wzxq-vyfn	https://security-tracker.debian.org/tracker/data/json	38.4.0