{
  "threat_severity" : "Moderate",
  "public_date" : "2026-04-24T16:45:19Z",
  "bugzilla" : {
    "description" : "lxml: python: lxml: Information disclosure via untrusted XML input leading to local file read",
    "id" : "2461613",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2461613"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.9",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
    "status" : "draft"
  },
  "cwe" : "CWE-611",
  "details" : [ "A flaw was found in lxml, a library for processing XML and HTML in Python. A remote attacker can exploit this vulnerability by sending untrusted XML input to an application using lxml's default parser configuration. This allows the attacker to read local files on the system, leading to information disclosure." ],
  "package_state" : [ {
    "product_name" : "Migration Toolkit for Applications 8",
    "fix_state" : "Fix deferred",
    "package_name" : "mta/mta-solution-server-rhel9",
    "cpe" : "cpe:/a:redhat:migration_toolkit_applications:8"
  }, {
    "product_name" : "Pen Drive Powered by Red Hat Lightspeed",
    "fix_state" : "Fix deferred",
    "package_name" : "pen-drive/pen-drive-scanner-rhel9",
    "cpe" : "cpe:/a:redhat:pdrive_lightspeed:0"
  }, {
    "product_name" : "Red Hat AI Inference Server",
    "fix_state" : "Fix deferred",
    "package_name" : "rhaiis/vllm-neuron-rhel9",
    "cpe" : "cpe:/a:redhat:ai_inference_server:3"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Fix deferred",
    "package_name" : "ansible-automation-platform-25/ee-supported-rhel8",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Fix deferred",
    "package_name" : "ansible-automation-platform-26/controller-rhel9",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Fix deferred",
    "package_name" : "ansible-automation-platform-26/ee-supported-rhel9",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Fix deferred",
    "package_name" : "ansible-automation-platform-26/gateway-rhel9",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Fix deferred",
    "package_name" : "ansible-automation-platform-26/hub-rhel9",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Fix deferred",
    "package_name" : "automation-controller",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Fix deferred",
    "package_name" : "python-lxml",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Fix deferred",
    "package_name" : "python-lxml",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "python-lxml",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "python-lxml",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "python-lxml",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "fix_state" : "Not affected",
    "package_name" : "abattis-cantarell-fonts",
    "cpe" : "cpe:/a:redhat:hummingbird:1"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "fix_state" : "Not affected",
    "package_name" : "jq",
    "cpe" : "cpe:/a:redhat:hummingbird:1"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "fix_state" : "Not affected",
    "package_name" : "mariadb11.8",
    "cpe" : "cpe:/a:redhat:hummingbird:1"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "fix_state" : "Affected",
    "package_name" : "python3-mypy",
    "cpe" : "cpe:/a:redhat:hummingbird:1"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "fix_state" : "Affected",
    "package_name" : "python-jsonschema",
    "cpe" : "cpe:/a:redhat:hummingbird:1"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "fix_state" : "Affected",
    "package_name" : "python-referencing",
    "cpe" : "cpe:/a:redhat:hummingbird:1"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Fix deferred",
    "package_name" : "rhoai/odh-pipeline-runtime-pytorch-llmcompressor-cuda-py312-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Fix deferred",
    "package_name" : "rhoai/odh-ta-lmes-job-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Fix deferred",
    "package_name" : "rhoai/odh-workbench-jupyter-pytorch-llmcompressor-cuda-py312-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Fix deferred",
    "package_name" : "openshift4/ose-olm-catalogd-rhel9",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Fix deferred",
    "package_name" : "rhcos",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat Quay 3",
    "fix_state" : "Fix deferred",
    "package_name" : "quay/quay-rhel8",
    "cpe" : "cpe:/a:redhat:quay:3"
  }, {
    "product_name" : "Red Hat Quay 3",
    "fix_state" : "Fix deferred",
    "package_name" : "quay/quay-rhel9",
    "cpe" : "cpe:/a:redhat:quay:3"
  }, {
    "product_name" : "Red Hat Satellite 6",
    "fix_state" : "Fix deferred",
    "package_name" : "python-lxml",
    "cpe" : "cpe:/a:redhat:satellite:6"
  }, {
    "product_name" : "Red Hat Satellite 6",
    "fix_state" : "Fix deferred",
    "package_name" : "satellite:el8/python-lxml",
    "cpe" : "cpe:/a:redhat:satellite:6"
  }, {
    "product_name" : "Red Hat Update Infrastructure 4 for Cloud Providers",
    "fix_state" : "Fix deferred",
    "package_name" : "python-lxml",
    "cpe" : "cpe:/a:redhat:rhui:4::el8"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-41066\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-41066\nhttps://bugs.launchpad.net/lxml/+bug/2146291\nhttps://github.com/lxml/lxml/security/advisories/GHSA-vfmq-68hx-4jfw" ],
  "name" : "CVE-2026-41066",
  "mitigation" : {
    "value" : "Applications using the lxml library to process untrusted XML input should explicitly configure the parser to prevent external entity resolution. This can be achieved by setting the `resolve_entities` option to `False` or `'internal'` when initializing the parser. For example, `etree.XML(xml_input, parser=etree.XMLParser(resolve_entities=False))` or `etree.HTML(html_input, parser=etree.HTMLParser(resolve_entities='internal'))`.",
    "lang" : "en:us"
  },
  "csaw" : false
}