VulnerableCode Package Details - pkg:pypi/xml2rfc@2.23.0

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:pypi/xml2rfc@2.23.0

Essentials
History (3)

purl	pkg:pypi/xml2rfc@2.23.0

Next non-vulnerable version	3.30.2
Latest non-vulnerable version	3.30.2
Risk	4.0

Vulnerabilities affecting this package (3)

Vulnerability	Summary	Fixed by
VCID-96zb-v69y-7udq Aliases: CVE-2025-11059 GHSA-9mv7-3c64-mmqw	xml2rfc is vulnerable to arbitrary file reads through prepped files ### Impact When generating PDF files, this vulnerability allows an attacker to read arbitrary files from the filesystem by injecting malicious link element into the prepped RFCXML. ### Workarounds Test untrusted input with `link` elements with `rel="attachment"` before processing. ### References This is related to [GHSA-cfmv-h8fx-85m7](https://github.com/ietf-tools/xml2rfc/security/advisories/GHSA-cfmv-h8fx-85m7).	3.30.2 Affected by 0 other vulnerabilities.
VCID-hzv3-nqaf-ckcx Aliases: CVE-2025-11058 GHSA-cfmv-h8fx-85m7	xml2rfc has an arbitrary file read vulnerability ### Impact When generating PDF files, this vulnerability allows an attacker to read arbitrary files from the filesystem by injecting malicious link element into the XML. ### Workarounds Test untrusted input with `link` elements with `rel="attachment"` before processing. ### Credits This vulnerability was reported by Mohamed Ouad from [Doyensec](https://doyensec.com/).	3.30.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-vbea-2gtz-6qe9 Aliases: GHSA-cf4q-4cqr-7g7w GMS-2022-988	SVG with embedded scripts can lead to cross-site scripting attacks in xml2rfc	3.12.4 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerabilities fixed by this package (0)

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T20:16:44.395769+00:00	GitLab Importer	Affected by	VCID-96zb-v69y-7udq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/xml2rfc/CVE-2025-11059.yml	38.6.0
2026-06-12T20:13:15.739131+00:00	GitLab Importer	Affected by	VCID-hzv3-nqaf-ckcx	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/xml2rfc/CVE-2025-11058.yml	38.6.0
2026-06-12T18:05:27.710419+00:00	GitLab Importer	Affected by	VCID-vbea-2gtz-6qe9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/xml2rfc/GMS-2022-988.yml	38.6.0