Copyright © 2012 Red Hat, Inc. All rights reserved. Moderate 2026-04-24T16:45:19 lxml: python: lxml: Information disclosure via untrusted XML input leading to local file read 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CWE-611

A flaw was found in lxml, a library for processing XML and HTML in Python. A remote attacker can exploit this vulnerability by sending untrusted XML input to an application using lxml's default parser configuration. This allows the attacker to read local files on the system, leading to information disclosure.

Applications using the lxml library to process untrusted XML input should explicitly configure the parser to prevent external entity resolution. This can be achieved by setting the `resolve_entities` option to `False` or `'internal'` when initializing the parser. For example, `etree.XML(xml_input, parser=etree.XMLParser(resolve_entities=False))` or `etree.HTML(html_input, parser=etree.HTMLParser(resolve_entities='internal'))`. Migration Toolkit for Applications 8 Fix deferred mta/mta-solution-server-rhel9 Pen Drive Powered by Red Hat Lightspeed Fix deferred pen-drive/pen-drive-scanner-rhel9 Red Hat AI Inference Server Fix deferred rhaiis/vllm-neuron-rhel9 Red Hat Ansible Automation Platform 2 Fix deferred ansible-automation-platform-25/ee-supported-rhel8 Red Hat Ansible Automation Platform 2 Fix deferred ansible-automation-platform-26/controller-rhel9 Red Hat Ansible Automation Platform 2 Fix deferred ansible-automation-platform-26/ee-supported-rhel9 Red Hat Ansible Automation Platform 2 Fix deferred ansible-automation-platform-26/gateway-rhel9 Red Hat Ansible Automation Platform 2 Fix deferred ansible-automation-platform-26/hub-rhel9 Red Hat Ansible Automation Platform 2 Fix deferred automation-controller Red Hat Enterprise Linux 10 Fix deferred python-lxml Red Hat Enterprise Linux 6 Fix deferred python-lxml Red Hat Enterprise Linux 7 Fix deferred python-lxml Red Hat Enterprise Linux 8 Fix deferred python-lxml Red Hat Enterprise Linux 9 Fix deferred python-lxml Red Hat Hardened Images Not affected abattis-cantarell-fonts Red Hat Hardened Images Not affected jq Red Hat Hardened Images Not affected mariadb11.8 Red Hat Hardened Images Affected python3-mypy Red Hat Hardened Images Affected python-jsonschema Red Hat Hardened Images Affected python-referencing Red Hat OpenShift AI (RHOAI) Fix deferred rhoai/odh-pipeline-runtime-pytorch-llmcompressor-cuda-py312-rhel9 Red Hat OpenShift AI (RHOAI) Fix deferred rhoai/odh-ta-lmes-job-rhel9 Red Hat OpenShift AI (RHOAI) Fix deferred rhoai/odh-workbench-jupyter-pytorch-llmcompressor-cuda-py312-rhel9 Red Hat OpenShift Container Platform 4 Fix deferred openshift4/ose-olm-catalogd-rhel9 Red Hat OpenShift Container Platform 4 Fix deferred rhcos Red Hat Quay 3 Fix deferred quay/quay-rhel8 Red Hat Quay 3 Fix deferred quay/quay-rhel9 Red Hat Satellite 6 Fix deferred python-lxml Red Hat Satellite 6 Fix deferred satellite:el8/python-lxml Red Hat Update Infrastructure 4 for Cloud Providers Fix deferred python-lxml https://www.cve.org/CVERecord?id=CVE-2026-41066 https://nvd.nist.gov/vuln/detail/CVE-2026-41066 https://bugs.launchpad.net/lxml/+bug/2146291 https://github.com/lxml/lxml/security/advisories/GHSA-vfmq-68hx-4jfw