CVE-2026-41066: lxml: Default configuration of iterparse() and ETCompatXMLParser() allows XXE to local files

Published Apr 21, 2026
·
Updated

Impact Using either of the two parsers in the default configuration (with resolveentities=True) allows untrusted XML input to read local files.

Patches lxml 6.1.0 changes the default to resolveentities='internal', thus disallowing local file access by default.

Workarounds Setting the resolveentities option explicitly to resolveentities='internal' or resolveentities=False disables the local file access.

Resources Original report: https://bugs.launchpad.net/lxml/+bug/2146291

The default option was changed to resolveentities='internal' for the normal XML and HTML parsers in lxml 5.0. The default was not changed for iterparse() and ETCompatXMLParser() at the time. lxml 6.1 makes the safe option the default for all parsers.

Other sources

lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration (with resolveentities=True) allows untrusted XML input to read local files. Setting the resolveentities option explicitly to resolveentities='internal' or resolveentities=False disables the local file access. This vulnerability is fixed in 6.1.0.

MITRE

lxml: Default configuration of iterparse() and ETCompatXMLParser() allows XXE to local files

Microsoft

Affected Software

4 affected componentsFixes available
pip/lxml<6.1.0
6.1.0
lxml lxml<6.1.0
Microsoft azl3 python-lxml 4.9.3-1
Patch available
Microsoft azl3 python-lxml 4.9.3-2
Patch available

Event History

Apr 21, 2026
Advisory Published
via GitHub·08:38 PM
Data Sourced
via GitHub·08:38 PM
DescriptionSeverityWeaknessAffected Software
Apr 24, 2026
CVE Published
via MITRE·04:45 PM
Data Sourced
via MITRE·04:45 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·05:16 PM
DescriptionSeverityWeaknessAffected Software
Apr 26, 2026
Data Sourced
via Microsoft·08:04 AM
DescriptionSeverityWeaknessAffected Software
Updated
via Microsoft·08:04 AM
DescriptionSeverity
Updated
via Microsoft·08:04 AM
Affected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2026-41066?

CVE-2026-41066 is rated as high severity due to its potential for unauthorized local file access.

2

How do I fix CVE-2026-41066?

To fix CVE-2026-41066, upgrade to lxml version 6.1.0 or higher.

3

What vulnerability does CVE-2026-41066 address?

CVE-2026-41066 addresses the vulnerability that allows untrusted XML input to read local files using the default parser configuration.

4

What is the risk of not addressing CVE-2026-41066?

Not addressing CVE-2026-41066 can lead to unauthorized access to sensitive local files in your application.

5

Which software is affected by CVE-2026-41066?

CVE-2026-41066 affects the lxml package when configured with resolve_entities set to true.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203
CVE-2026-41066 - lxml: Default configuration of iterparse() and ETCompatXMLParser() allows XXE to local files - SecAlerts