CVE-2026-41066: lxml: Default configuration of iterparse() and ETCompatXMLParser() allows XXE to local files

April 21, 2026 (updated April 27, 2026)

Using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files.

References

bugs.launchpad.net/lxml/+bug/2146291
github.com/advisories/GHSA-vfmq-68hx-4jfw
github.com/lxml/lxml
github.com/lxml/lxml/releases/tag/lxml-6.1.0
github.com/lxml/lxml/security/advisories/GHSA-vfmq-68hx-4jfw
nvd.nist.gov/vuln/detail/CVE-2026-41066

Code Behaviors & Features

Detect and mitigate CVE-2026-41066 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →