Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-41066 (GCVE-0-2026-41066)
Vulnerability from cvelistv5 – Published: 2026-04-24 16:45 – Updated: 2026-04-24 18:04
VLAI
EPSS
Title
lxml: Default configuration of iterparse() and ETCompatXMLParser() allows XXE to local files
Summary
lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files. Setting the resolve_entities option explicitly to resolve_entities='internal' or resolve_entities=False disables the local file access. This vulnerability is fixed in 6.1.0.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/lxml/lxml/security/advisories/… | x_refsource_CONFIRM |
| https://bugs.launchpad.net/lxml/+bug/2146291 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41066",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-24T18:03:40.722204Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T18:04:04.548Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "lxml",
"vendor": "lxml",
"versions": [
{
"status": "affected",
"version": "\u003c 6.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files. Setting the resolve_entities option explicitly to resolve_entities=\u0027internal\u0027 or resolve_entities=False disables the local file access. This vulnerability is fixed in 6.1.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611: Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T16:45:19.617Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/lxml/lxml/security/advisories/GHSA-vfmq-68hx-4jfw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/lxml/lxml/security/advisories/GHSA-vfmq-68hx-4jfw"
},
{
"name": "https://bugs.launchpad.net/lxml/+bug/2146291",
"tags": [
"x_refsource_MISC"
],
"url": "https://bugs.launchpad.net/lxml/+bug/2146291"
}
],
"source": {
"advisory": "GHSA-vfmq-68hx-4jfw",
"discovery": "UNKNOWN"
},
"title": "lxml: Default configuration of iterparse() and ETCompatXMLParser() allows XXE to local files"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41066",
"datePublished": "2026-04-24T16:45:19.617Z",
"dateReserved": "2026-04-16T16:43:03.174Z",
"dateUpdated": "2026-04-24T18:04:04.548Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-41066",
"date": "2026-06-30",
"epss": "0.00324",
"percentile": "0.24189"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-41066\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-04-24T17:16:20.933\",\"lastModified\":\"2026-06-17T10:46:06.993\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files. Setting the resolve_entities option explicitly to resolve_entities=\u0027internal\u0027 or resolve_entities=False disables the local file access. This vulnerability is fixed in 6.1.0.\"}],\"affected\":[{\"source\":\"security-advisories@github.com\",\"affectedData\":[{\"vendor\":\"lxml\",\"product\":\"lxml\",\"versions\":[{\"version\":\"\u003c 6.1.0\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-04-24T18:03:40.722204Z\",\"id\":\"CVE-2026-41066\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"yes\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-611\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:lxml:lxml:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"6.1.0\",\"matchCriteriaId\":\"BBB89136-B5C9-4228-A580-08FB87A7326F\"}]}]}],\"references\":[{\"url\":\"https://bugs.launchpad.net/lxml/+bug/2146291\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/lxml/lxml/security/advisories/GHSA-vfmq-68hx-4jfw\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mitigation\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"cna\": {\"title\": \"lxml: Default configuration of iterparse() and ETCompatXMLParser() allows XXE to local files\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-611\", \"lang\": \"en\", \"description\": \"CWE-611: Improper Restriction of XML External Entity Reference\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"NONE\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"NONE\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"version\": \"3.1\"}}], \"references\": [{\"name\": \"https://github.com/lxml/lxml/security/advisories/GHSA-vfmq-68hx-4jfw\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/lxml/lxml/security/advisories/GHSA-vfmq-68hx-4jfw\"}, {\"name\": \"https://bugs.launchpad.net/lxml/+bug/2146291\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://bugs.launchpad.net/lxml/+bug/2146291\"}], \"affected\": [{\"vendor\": \"lxml\", \"product\": \"lxml\", \"versions\": [{\"version\": \"\u003c 6.1.0\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-04-24T16:45:19.617Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files. Setting the resolve_entities option explicitly to resolve_entities=\u0027internal\u0027 or resolve_entities=False disables the local file access. This vulnerability is fixed in 6.1.0.\"}], \"source\": {\"advisory\": \"GHSA-vfmq-68hx-4jfw\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-41066\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-24T18:03:40.722204Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-24T18:03:45.409Z\"}}]}",
"cveMetadata": "{\"cveId\": \"CVE-2026-41066\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2026-04-16T16:43:03.174Z\", \"datePublished\": \"2026-04-24T16:45:19.617Z\", \"dateUpdated\": \"2026-04-24T18:04:04.548Z\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
PYSEC-2026-87
Vulnerability from pysec - Published: 2026-04-24 17:16 - Updated: 2026-05-20 09:19
VLAI
Details
lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files. Setting the resolve_entities option explicitly to resolve_entities='internal' or resolve_entities=False disables the local file access. This vulnerability is fixed in 6.1.0.
Severity
7.5 (High)
Impacted products
| Name | purl | lxml | pkg:pypi/lxml |
|---|
Aliases
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "lxml",
"purl": "pkg:pypi/lxml"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.1.0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.3.2",
"1.3.3",
"1.3.4",
"1.3.5",
"1.3.6",
"2.0",
"2.0.10",
"2.0.11",
"2.0.4",
"2.0.5",
"2.0.6",
"2.0.7",
"2.0.8",
"2.0.9",
"2.1",
"2.1.1",
"2.1.2",
"2.1.3",
"2.1.4",
"2.1.5",
"2.2",
"2.2.1",
"2.2.2",
"2.2.3",
"2.2.4",
"2.2.5",
"2.2.6",
"2.2.7",
"2.2.8",
"2.3",
"2.3.1",
"2.3.2",
"2.3.3",
"2.3.4",
"2.3.5",
"2.3.6",
"3.0",
"3.0.2",
"3.1.0",
"3.1.1",
"3.1.2",
"3.2.0",
"3.2.1",
"3.2.2",
"3.2.3",
"3.2.4",
"3.2.5",
"3.3.0",
"3.3.1",
"3.3.2",
"3.3.3",
"3.3.4",
"3.3.5",
"3.3.6",
"3.4.0",
"3.4.1",
"3.4.2",
"3.4.3",
"3.4.4",
"3.5.0",
"3.6.0",
"3.6.1",
"3.6.2",
"3.6.3",
"3.6.4",
"3.7.0",
"3.7.1",
"3.7.2",
"3.7.3",
"3.8.0",
"4.0.0",
"4.1.0",
"4.1.1",
"4.2.0",
"4.2.1",
"4.2.2",
"4.2.3",
"4.2.4",
"4.2.5",
"4.2.6",
"4.3.0",
"4.3.2",
"4.3.3",
"4.3.4",
"4.3.5",
"4.4.0",
"4.4.1",
"4.4.2",
"4.4.3",
"4.5.0",
"4.5.1",
"4.5.2",
"4.6.0",
"4.6.1",
"4.6.2",
"4.6.3",
"4.6.4",
"4.6.5",
"4.7.1",
"4.8.0",
"4.9.0",
"4.9.1",
"4.9.2",
"4.9.3",
"4.9.4",
"5.0.0",
"5.0.1",
"5.0.2",
"5.1.0",
"5.1.1",
"5.2.0",
"5.2.1",
"5.2.2",
"5.3.0",
"5.3.1",
"5.3.2",
"5.4.0",
"6.0.0",
"6.0.1",
"6.0.2",
"6.0.3",
"6.0.4"
]
}
],
"aliases": [
"CVE-2026-41066",
"GHSA-vfmq-68hx-4jfw"
],
"details": "lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files. Setting the resolve_entities option explicitly to resolve_entities=\u0027internal\u0027 or resolve_entities=False disables the local file access. This vulnerability is fixed in 6.1.0.",
"id": "PYSEC-2026-87",
"modified": "2026-05-20T09:19:06.179641Z",
"published": "2026-04-24T17:16:20.933Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/lxml/lxml/security/advisories/GHSA-vfmq-68hx-4jfw"
},
{
"type": "REPORT",
"url": "https://bugs.launchpad.net/lxml/+bug/2146291"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
SUSE-SU-2026:21587-1
Vulnerability from csaf_suse - Published: 2026-05-11 10:11 - Updated: 2026-05-11 10:11Summary
Security update for python-lxml
Severity
Moderate
Notes
Title of the patch: Security update for python-lxml
Description of the patch: This update for python-lxml fixes the following issue
- CVE-2026-41066: Information disclosure via untrusted XML input leading to local file read (bsc#1263254).
Patchnames: SUSE-SL-Micro-6.2-728
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.9 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Micro 6.2:python313-lxml-5.4.0-160000.3.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.2:python313-lxml-5.4.0-160000.3.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.2:python313-lxml-5.4.0-160000.3.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.2:python313-lxml-5.4.0-160000.3.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
8 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for python-lxml",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for python-lxml fixes the following issue\n\n- CVE-2026-41066: Information disclosure via untrusted XML input leading to local file read (bsc#1263254).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SL-Micro-6.2-728",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_21587-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:21587-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621587-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:21587-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2026-May/046461.html"
},
{
"category": "self",
"summary": "SUSE Bug 1263254",
"url": "https://bugzilla.suse.com/1263254"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-41066 page",
"url": "https://www.suse.com/security/cve/CVE-2026-41066/"
}
],
"title": "Security update for python-lxml",
"tracking": {
"current_release_date": "2026-05-11T10:11:07Z",
"generator": {
"date": "2026-05-11T10:11:07Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:21587-1",
"initial_release_date": "2026-05-11T10:11:07Z",
"revision_history": [
{
"date": "2026-05-11T10:11:07Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python313-lxml-5.4.0-160000.3.1.aarch64",
"product": {
"name": "python313-lxml-5.4.0-160000.3.1.aarch64",
"product_id": "python313-lxml-5.4.0-160000.3.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "python313-lxml-5.4.0-160000.3.1.ppc64le",
"product": {
"name": "python313-lxml-5.4.0-160000.3.1.ppc64le",
"product_id": "python313-lxml-5.4.0-160000.3.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "python313-lxml-5.4.0-160000.3.1.s390x",
"product": {
"name": "python313-lxml-5.4.0-160000.3.1.s390x",
"product_id": "python313-lxml-5.4.0-160000.3.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "python313-lxml-5.4.0-160000.3.1.x86_64",
"product": {
"name": "python313-lxml-5.4.0-160000.3.1.x86_64",
"product_id": "python313-lxml-5.4.0-160000.3.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Micro 6.2",
"product": {
"name": "SUSE Linux Micro 6.2",
"product_id": "SUSE Linux Micro 6.2",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sl-micro:6.2"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-lxml-5.4.0-160000.3.1.aarch64 as component of SUSE Linux Micro 6.2",
"product_id": "SUSE Linux Micro 6.2:python313-lxml-5.4.0-160000.3.1.aarch64"
},
"product_reference": "python313-lxml-5.4.0-160000.3.1.aarch64",
"relates_to_product_reference": "SUSE Linux Micro 6.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-lxml-5.4.0-160000.3.1.ppc64le as component of SUSE Linux Micro 6.2",
"product_id": "SUSE Linux Micro 6.2:python313-lxml-5.4.0-160000.3.1.ppc64le"
},
"product_reference": "python313-lxml-5.4.0-160000.3.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Micro 6.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-lxml-5.4.0-160000.3.1.s390x as component of SUSE Linux Micro 6.2",
"product_id": "SUSE Linux Micro 6.2:python313-lxml-5.4.0-160000.3.1.s390x"
},
"product_reference": "python313-lxml-5.4.0-160000.3.1.s390x",
"relates_to_product_reference": "SUSE Linux Micro 6.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-lxml-5.4.0-160000.3.1.x86_64 as component of SUSE Linux Micro 6.2",
"product_id": "SUSE Linux Micro 6.2:python313-lxml-5.4.0-160000.3.1.x86_64"
},
"product_reference": "python313-lxml-5.4.0-160000.3.1.x86_64",
"relates_to_product_reference": "SUSE Linux Micro 6.2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-41066",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-41066"
}
],
"notes": [
{
"category": "general",
"text": "lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files. Setting the resolve_entities option explicitly to resolve_entities=\u0027internal\u0027 or resolve_entities=False disables the local file access. This vulnerability is fixed in 6.1.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.2:python313-lxml-5.4.0-160000.3.1.aarch64",
"SUSE Linux Micro 6.2:python313-lxml-5.4.0-160000.3.1.ppc64le",
"SUSE Linux Micro 6.2:python313-lxml-5.4.0-160000.3.1.s390x",
"SUSE Linux Micro 6.2:python313-lxml-5.4.0-160000.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-41066",
"url": "https://www.suse.com/security/cve/CVE-2026-41066"
},
{
"category": "external",
"summary": "SUSE Bug 1263254 for CVE-2026-41066",
"url": "https://bugzilla.suse.com/1263254"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.2:python313-lxml-5.4.0-160000.3.1.aarch64",
"SUSE Linux Micro 6.2:python313-lxml-5.4.0-160000.3.1.ppc64le",
"SUSE Linux Micro 6.2:python313-lxml-5.4.0-160000.3.1.s390x",
"SUSE Linux Micro 6.2:python313-lxml-5.4.0-160000.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.2:python313-lxml-5.4.0-160000.3.1.aarch64",
"SUSE Linux Micro 6.2:python313-lxml-5.4.0-160000.3.1.ppc64le",
"SUSE Linux Micro 6.2:python313-lxml-5.4.0-160000.3.1.s390x",
"SUSE Linux Micro 6.2:python313-lxml-5.4.0-160000.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-11T10:11:07Z",
"details": "moderate"
}
],
"title": "CVE-2026-41066"
}
]
}
SUSE-SU-2026:21603-1
Vulnerability from csaf_suse - Published: 2026-05-11 10:11 - Updated: 2026-05-11 10:11Summary
Security update for python-lxml
Severity
Moderate
Notes
Title of the patch: Security update for python-lxml
Description of the patch: This update for python-lxml fixes the following issue
- CVE-2026-41066: Information disclosure via untrusted XML input leading to local file read (bsc#1263254).
Patchnames: SUSE-SLES-16.0-728
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.9 (Medium)
Affected products
Recommended
18 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:python-lxml-doc-5.4.0-160000.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:python313-lxml-5.4.0-160000.3.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:python313-lxml-5.4.0-160000.3.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:python313-lxml-5.4.0-160000.3.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:python313-lxml-5.4.0-160000.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:python313-lxml-devel-5.4.0-160000.3.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:python313-lxml-devel-5.4.0-160000.3.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:python313-lxml-devel-5.4.0-160000.3.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:python313-lxml-devel-5.4.0-160000.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:python-lxml-doc-5.4.0-160000.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:python313-lxml-5.4.0-160000.3.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:python313-lxml-5.4.0-160000.3.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:python313-lxml-5.4.0-160000.3.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:python313-lxml-5.4.0-160000.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:python313-lxml-devel-5.4.0-160000.3.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:python313-lxml-devel-5.4.0-160000.3.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:python313-lxml-devel-5.4.0-160000.3.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:python313-lxml-devel-5.4.0-160000.3.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
8 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for python-lxml",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for python-lxml fixes the following issue\n\n- CVE-2026-41066: Information disclosure via untrusted XML input leading to local file read (bsc#1263254).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLES-16.0-728",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_21603-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:21603-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621603-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:21603-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2026-May/046445.html"
},
{
"category": "self",
"summary": "SUSE Bug 1263254",
"url": "https://bugzilla.suse.com/1263254"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-41066 page",
"url": "https://www.suse.com/security/cve/CVE-2026-41066/"
}
],
"title": "Security update for python-lxml",
"tracking": {
"current_release_date": "2026-05-11T10:11:07Z",
"generator": {
"date": "2026-05-11T10:11:07Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:21603-1",
"initial_release_date": "2026-05-11T10:11:07Z",
"revision_history": [
{
"date": "2026-05-11T10:11:07Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python313-lxml-5.4.0-160000.3.1.aarch64",
"product": {
"name": "python313-lxml-5.4.0-160000.3.1.aarch64",
"product_id": "python313-lxml-5.4.0-160000.3.1.aarch64"
}
},
{
"category": "product_version",
"name": "python313-lxml-devel-5.4.0-160000.3.1.aarch64",
"product": {
"name": "python313-lxml-devel-5.4.0-160000.3.1.aarch64",
"product_id": "python313-lxml-devel-5.4.0-160000.3.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "python-lxml-doc-5.4.0-160000.3.1.noarch",
"product": {
"name": "python-lxml-doc-5.4.0-160000.3.1.noarch",
"product_id": "python-lxml-doc-5.4.0-160000.3.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "python313-lxml-5.4.0-160000.3.1.ppc64le",
"product": {
"name": "python313-lxml-5.4.0-160000.3.1.ppc64le",
"product_id": "python313-lxml-5.4.0-160000.3.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python313-lxml-devel-5.4.0-160000.3.1.ppc64le",
"product": {
"name": "python313-lxml-devel-5.4.0-160000.3.1.ppc64le",
"product_id": "python313-lxml-devel-5.4.0-160000.3.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "python313-lxml-5.4.0-160000.3.1.s390x",
"product": {
"name": "python313-lxml-5.4.0-160000.3.1.s390x",
"product_id": "python313-lxml-5.4.0-160000.3.1.s390x"
}
},
{
"category": "product_version",
"name": "python313-lxml-devel-5.4.0-160000.3.1.s390x",
"product": {
"name": "python313-lxml-devel-5.4.0-160000.3.1.s390x",
"product_id": "python313-lxml-devel-5.4.0-160000.3.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "python313-lxml-5.4.0-160000.3.1.x86_64",
"product": {
"name": "python313-lxml-5.4.0-160000.3.1.x86_64",
"product_id": "python313-lxml-5.4.0-160000.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "python313-lxml-devel-5.4.0-160000.3.1.x86_64",
"product": {
"name": "python313-lxml-devel-5.4.0-160000.3.1.x86_64",
"product_id": "python313-lxml-devel-5.4.0-160000.3.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 16.0",
"product": {
"name": "SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product": {
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server-sap"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python-lxml-doc-5.4.0-160000.3.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:python-lxml-doc-5.4.0-160000.3.1.noarch"
},
"product_reference": "python-lxml-doc-5.4.0-160000.3.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-lxml-5.4.0-160000.3.1.aarch64 as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:python313-lxml-5.4.0-160000.3.1.aarch64"
},
"product_reference": "python313-lxml-5.4.0-160000.3.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-lxml-5.4.0-160000.3.1.ppc64le as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:python313-lxml-5.4.0-160000.3.1.ppc64le"
},
"product_reference": "python313-lxml-5.4.0-160000.3.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-lxml-5.4.0-160000.3.1.s390x as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:python313-lxml-5.4.0-160000.3.1.s390x"
},
"product_reference": "python313-lxml-5.4.0-160000.3.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-lxml-5.4.0-160000.3.1.x86_64 as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:python313-lxml-5.4.0-160000.3.1.x86_64"
},
"product_reference": "python313-lxml-5.4.0-160000.3.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-lxml-devel-5.4.0-160000.3.1.aarch64 as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:python313-lxml-devel-5.4.0-160000.3.1.aarch64"
},
"product_reference": "python313-lxml-devel-5.4.0-160000.3.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-lxml-devel-5.4.0-160000.3.1.ppc64le as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:python313-lxml-devel-5.4.0-160000.3.1.ppc64le"
},
"product_reference": "python313-lxml-devel-5.4.0-160000.3.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-lxml-devel-5.4.0-160000.3.1.s390x as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:python313-lxml-devel-5.4.0-160000.3.1.s390x"
},
"product_reference": "python313-lxml-devel-5.4.0-160000.3.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-lxml-devel-5.4.0-160000.3.1.x86_64 as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:python313-lxml-devel-5.4.0-160000.3.1.x86_64"
},
"product_reference": "python313-lxml-devel-5.4.0-160000.3.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-lxml-doc-5.4.0-160000.3.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:python-lxml-doc-5.4.0-160000.3.1.noarch"
},
"product_reference": "python-lxml-doc-5.4.0-160000.3.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-lxml-5.4.0-160000.3.1.aarch64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:python313-lxml-5.4.0-160000.3.1.aarch64"
},
"product_reference": "python313-lxml-5.4.0-160000.3.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-lxml-5.4.0-160000.3.1.ppc64le as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:python313-lxml-5.4.0-160000.3.1.ppc64le"
},
"product_reference": "python313-lxml-5.4.0-160000.3.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-lxml-5.4.0-160000.3.1.s390x as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:python313-lxml-5.4.0-160000.3.1.s390x"
},
"product_reference": "python313-lxml-5.4.0-160000.3.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-lxml-5.4.0-160000.3.1.x86_64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:python313-lxml-5.4.0-160000.3.1.x86_64"
},
"product_reference": "python313-lxml-5.4.0-160000.3.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-lxml-devel-5.4.0-160000.3.1.aarch64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:python313-lxml-devel-5.4.0-160000.3.1.aarch64"
},
"product_reference": "python313-lxml-devel-5.4.0-160000.3.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-lxml-devel-5.4.0-160000.3.1.ppc64le as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:python313-lxml-devel-5.4.0-160000.3.1.ppc64le"
},
"product_reference": "python313-lxml-devel-5.4.0-160000.3.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-lxml-devel-5.4.0-160000.3.1.s390x as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:python313-lxml-devel-5.4.0-160000.3.1.s390x"
},
"product_reference": "python313-lxml-devel-5.4.0-160000.3.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-lxml-devel-5.4.0-160000.3.1.x86_64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:python313-lxml-devel-5.4.0-160000.3.1.x86_64"
},
"product_reference": "python313-lxml-devel-5.4.0-160000.3.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-41066",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-41066"
}
],
"notes": [
{
"category": "general",
"text": "lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files. Setting the resolve_entities option explicitly to resolve_entities=\u0027internal\u0027 or resolve_entities=False disables the local file access. This vulnerability is fixed in 6.1.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:python-lxml-doc-5.4.0-160000.3.1.noarch",
"SUSE Linux Enterprise Server 16.0:python313-lxml-5.4.0-160000.3.1.aarch64",
"SUSE Linux Enterprise Server 16.0:python313-lxml-5.4.0-160000.3.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:python313-lxml-5.4.0-160000.3.1.s390x",
"SUSE Linux Enterprise Server 16.0:python313-lxml-5.4.0-160000.3.1.x86_64",
"SUSE Linux Enterprise Server 16.0:python313-lxml-devel-5.4.0-160000.3.1.aarch64",
"SUSE Linux Enterprise Server 16.0:python313-lxml-devel-5.4.0-160000.3.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:python313-lxml-devel-5.4.0-160000.3.1.s390x",
"SUSE Linux Enterprise Server 16.0:python313-lxml-devel-5.4.0-160000.3.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:python-lxml-doc-5.4.0-160000.3.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-lxml-5.4.0-160000.3.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-lxml-5.4.0-160000.3.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-lxml-5.4.0-160000.3.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-lxml-5.4.0-160000.3.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-lxml-devel-5.4.0-160000.3.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-lxml-devel-5.4.0-160000.3.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-lxml-devel-5.4.0-160000.3.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-lxml-devel-5.4.0-160000.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-41066",
"url": "https://www.suse.com/security/cve/CVE-2026-41066"
},
{
"category": "external",
"summary": "SUSE Bug 1263254 for CVE-2026-41066",
"url": "https://bugzilla.suse.com/1263254"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:python-lxml-doc-5.4.0-160000.3.1.noarch",
"SUSE Linux Enterprise Server 16.0:python313-lxml-5.4.0-160000.3.1.aarch64",
"SUSE Linux Enterprise Server 16.0:python313-lxml-5.4.0-160000.3.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:python313-lxml-5.4.0-160000.3.1.s390x",
"SUSE Linux Enterprise Server 16.0:python313-lxml-5.4.0-160000.3.1.x86_64",
"SUSE Linux Enterprise Server 16.0:python313-lxml-devel-5.4.0-160000.3.1.aarch64",
"SUSE Linux Enterprise Server 16.0:python313-lxml-devel-5.4.0-160000.3.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:python313-lxml-devel-5.4.0-160000.3.1.s390x",
"SUSE Linux Enterprise Server 16.0:python313-lxml-devel-5.4.0-160000.3.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:python-lxml-doc-5.4.0-160000.3.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-lxml-5.4.0-160000.3.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-lxml-5.4.0-160000.3.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-lxml-5.4.0-160000.3.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-lxml-5.4.0-160000.3.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-lxml-devel-5.4.0-160000.3.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-lxml-devel-5.4.0-160000.3.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-lxml-devel-5.4.0-160000.3.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-lxml-devel-5.4.0-160000.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:python-lxml-doc-5.4.0-160000.3.1.noarch",
"SUSE Linux Enterprise Server 16.0:python313-lxml-5.4.0-160000.3.1.aarch64",
"SUSE Linux Enterprise Server 16.0:python313-lxml-5.4.0-160000.3.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:python313-lxml-5.4.0-160000.3.1.s390x",
"SUSE Linux Enterprise Server 16.0:python313-lxml-5.4.0-160000.3.1.x86_64",
"SUSE Linux Enterprise Server 16.0:python313-lxml-devel-5.4.0-160000.3.1.aarch64",
"SUSE Linux Enterprise Server 16.0:python313-lxml-devel-5.4.0-160000.3.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:python313-lxml-devel-5.4.0-160000.3.1.s390x",
"SUSE Linux Enterprise Server 16.0:python313-lxml-devel-5.4.0-160000.3.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:python-lxml-doc-5.4.0-160000.3.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-lxml-5.4.0-160000.3.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-lxml-5.4.0-160000.3.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-lxml-5.4.0-160000.3.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-lxml-5.4.0-160000.3.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-lxml-devel-5.4.0-160000.3.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-lxml-devel-5.4.0-160000.3.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-lxml-devel-5.4.0-160000.3.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-lxml-devel-5.4.0-160000.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-11T10:11:07Z",
"details": "moderate"
}
],
"title": "CVE-2026-41066"
}
]
}
SUSE-SU-2026:21731-1
Vulnerability from csaf_suse - Published: 2026-05-18 08:52 - Updated: 2026-05-18 08:52Summary
Security update for python-lxml
Severity
Moderate
Notes
Title of the patch: Security update for python-lxml
Description of the patch: This update for python-lxml fixes the following issue
- CVE-2026-41066: Information disclosure via untrusted XML input leading to local file read (bsc#1263254).
Patchnames: SUSE-SLE-Micro-6.1-531
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.9 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Micro 6.1:python311-lxml-4.9.3-slfo.1.1_2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.1:python311-lxml-4.9.3-slfo.1.1_2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.1:python311-lxml-4.9.3-slfo.1.1_2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.1:python311-lxml-4.9.3-slfo.1.1_2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
8 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for python-lxml",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for python-lxml fixes the following issue\n\n- CVE-2026-41066: Information disclosure via untrusted XML input leading to local file read (bsc#1263254).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLE-Micro-6.1-531",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_21731-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:21731-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621731-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:21731-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2026-May/046717.html"
},
{
"category": "self",
"summary": "SUSE Bug 1263254",
"url": "https://bugzilla.suse.com/1263254"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-41066 page",
"url": "https://www.suse.com/security/cve/CVE-2026-41066/"
}
],
"title": "Security update for python-lxml",
"tracking": {
"current_release_date": "2026-05-18T08:52:51Z",
"generator": {
"date": "2026-05-18T08:52:51Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:21731-1",
"initial_release_date": "2026-05-18T08:52:51Z",
"revision_history": [
{
"date": "2026-05-18T08:52:51Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python311-lxml-4.9.3-slfo.1.1_2.1.aarch64",
"product": {
"name": "python311-lxml-4.9.3-slfo.1.1_2.1.aarch64",
"product_id": "python311-lxml-4.9.3-slfo.1.1_2.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "python311-lxml-4.9.3-slfo.1.1_2.1.ppc64le",
"product": {
"name": "python311-lxml-4.9.3-slfo.1.1_2.1.ppc64le",
"product_id": "python311-lxml-4.9.3-slfo.1.1_2.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "python311-lxml-4.9.3-slfo.1.1_2.1.s390x",
"product": {
"name": "python311-lxml-4.9.3-slfo.1.1_2.1.s390x",
"product_id": "python311-lxml-4.9.3-slfo.1.1_2.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "python311-lxml-4.9.3-slfo.1.1_2.1.x86_64",
"product": {
"name": "python311-lxml-4.9.3-slfo.1.1_2.1.x86_64",
"product_id": "python311-lxml-4.9.3-slfo.1.1_2.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Micro 6.1",
"product": {
"name": "SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sl-micro:6.1"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-lxml-4.9.3-slfo.1.1_2.1.aarch64 as component of SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1:python311-lxml-4.9.3-slfo.1.1_2.1.aarch64"
},
"product_reference": "python311-lxml-4.9.3-slfo.1.1_2.1.aarch64",
"relates_to_product_reference": "SUSE Linux Micro 6.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-lxml-4.9.3-slfo.1.1_2.1.ppc64le as component of SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1:python311-lxml-4.9.3-slfo.1.1_2.1.ppc64le"
},
"product_reference": "python311-lxml-4.9.3-slfo.1.1_2.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Micro 6.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-lxml-4.9.3-slfo.1.1_2.1.s390x as component of SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1:python311-lxml-4.9.3-slfo.1.1_2.1.s390x"
},
"product_reference": "python311-lxml-4.9.3-slfo.1.1_2.1.s390x",
"relates_to_product_reference": "SUSE Linux Micro 6.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-lxml-4.9.3-slfo.1.1_2.1.x86_64 as component of SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1:python311-lxml-4.9.3-slfo.1.1_2.1.x86_64"
},
"product_reference": "python311-lxml-4.9.3-slfo.1.1_2.1.x86_64",
"relates_to_product_reference": "SUSE Linux Micro 6.1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-41066",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-41066"
}
],
"notes": [
{
"category": "general",
"text": "lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files. Setting the resolve_entities option explicitly to resolve_entities=\u0027internal\u0027 or resolve_entities=False disables the local file access. This vulnerability is fixed in 6.1.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.1:python311-lxml-4.9.3-slfo.1.1_2.1.aarch64",
"SUSE Linux Micro 6.1:python311-lxml-4.9.3-slfo.1.1_2.1.ppc64le",
"SUSE Linux Micro 6.1:python311-lxml-4.9.3-slfo.1.1_2.1.s390x",
"SUSE Linux Micro 6.1:python311-lxml-4.9.3-slfo.1.1_2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-41066",
"url": "https://www.suse.com/security/cve/CVE-2026-41066"
},
{
"category": "external",
"summary": "SUSE Bug 1263254 for CVE-2026-41066",
"url": "https://bugzilla.suse.com/1263254"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.1:python311-lxml-4.9.3-slfo.1.1_2.1.aarch64",
"SUSE Linux Micro 6.1:python311-lxml-4.9.3-slfo.1.1_2.1.ppc64le",
"SUSE Linux Micro 6.1:python311-lxml-4.9.3-slfo.1.1_2.1.s390x",
"SUSE Linux Micro 6.1:python311-lxml-4.9.3-slfo.1.1_2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.1:python311-lxml-4.9.3-slfo.1.1_2.1.aarch64",
"SUSE Linux Micro 6.1:python311-lxml-4.9.3-slfo.1.1_2.1.ppc64le",
"SUSE Linux Micro 6.1:python311-lxml-4.9.3-slfo.1.1_2.1.s390x",
"SUSE Linux Micro 6.1:python311-lxml-4.9.3-slfo.1.1_2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-18T08:52:51Z",
"details": "moderate"
}
],
"title": "CVE-2026-41066"
}
]
}
SUSE-SU-2026:2488-1
Vulnerability from csaf_suse - Published: 2026-06-22 12:16 - Updated: 2026-06-22 12:16Summary
Security update for python-lxml
Severity
Moderate
Notes
Title of the patch: Security update for python-lxml
Description of the patch: This update for python-lxml fixes the following issue
- CVE-2026-41066: information disclosure via untrusted XML input leading to local file read (bsc#1263254).
Patchnames: SUSE-2026-2488,SUSE-SLE-Micro-5.3-2026-2488,SUSE-SLE-Micro-5.4-2026-2488
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.9 (Medium)
Affected products
Recommended
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Micro 5.3:python3-lxml-4.7.1-150200.3.15.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Micro 5.3:python3-lxml-4.7.1-150200.3.15.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Micro 5.3:python3-lxml-4.7.1-150200.3.15.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Micro 5.4:python3-lxml-4.7.1-150200.3.15.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Micro 5.4:python3-lxml-4.7.1-150200.3.15.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Micro 5.4:python3-lxml-4.7.1-150200.3.15.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
8 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for python-lxml",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for python-lxml fixes the following issue\n\n- CVE-2026-41066: information disclosure via untrusted XML input leading to local file read (bsc#1263254).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2026-2488,SUSE-SLE-Micro-5.3-2026-2488,SUSE-SLE-Micro-5.4-2026-2488",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_2488-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:2488-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20262488-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:2488-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2026-June/047462.html"
},
{
"category": "self",
"summary": "SUSE Bug 1263254",
"url": "https://bugzilla.suse.com/1263254"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-41066 page",
"url": "https://www.suse.com/security/cve/CVE-2026-41066/"
}
],
"title": "Security update for python-lxml",
"tracking": {
"current_release_date": "2026-06-22T12:16:03Z",
"generator": {
"date": "2026-06-22T12:16:03Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:2488-1",
"initial_release_date": "2026-06-22T12:16:03Z",
"revision_history": [
{
"date": "2026-06-22T12:16:03Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python2-lxml-4.7.1-150200.3.15.1.aarch64",
"product": {
"name": "python2-lxml-4.7.1-150200.3.15.1.aarch64",
"product_id": "python2-lxml-4.7.1-150200.3.15.1.aarch64"
}
},
{
"category": "product_version",
"name": "python2-lxml-devel-4.7.1-150200.3.15.1.aarch64",
"product": {
"name": "python2-lxml-devel-4.7.1-150200.3.15.1.aarch64",
"product_id": "python2-lxml-devel-4.7.1-150200.3.15.1.aarch64"
}
},
{
"category": "product_version",
"name": "python3-lxml-4.7.1-150200.3.15.1.aarch64",
"product": {
"name": "python3-lxml-4.7.1-150200.3.15.1.aarch64",
"product_id": "python3-lxml-4.7.1-150200.3.15.1.aarch64"
}
},
{
"category": "product_version",
"name": "python3-lxml-devel-4.7.1-150200.3.15.1.aarch64",
"product": {
"name": "python3-lxml-devel-4.7.1-150200.3.15.1.aarch64",
"product_id": "python3-lxml-devel-4.7.1-150200.3.15.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "python2-lxml-4.7.1-150200.3.15.1.i586",
"product": {
"name": "python2-lxml-4.7.1-150200.3.15.1.i586",
"product_id": "python2-lxml-4.7.1-150200.3.15.1.i586"
}
},
{
"category": "product_version",
"name": "python2-lxml-devel-4.7.1-150200.3.15.1.i586",
"product": {
"name": "python2-lxml-devel-4.7.1-150200.3.15.1.i586",
"product_id": "python2-lxml-devel-4.7.1-150200.3.15.1.i586"
}
},
{
"category": "product_version",
"name": "python3-lxml-4.7.1-150200.3.15.1.i586",
"product": {
"name": "python3-lxml-4.7.1-150200.3.15.1.i586",
"product_id": "python3-lxml-4.7.1-150200.3.15.1.i586"
}
},
{
"category": "product_version",
"name": "python3-lxml-devel-4.7.1-150200.3.15.1.i586",
"product": {
"name": "python3-lxml-devel-4.7.1-150200.3.15.1.i586",
"product_id": "python3-lxml-devel-4.7.1-150200.3.15.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "python2-lxml-doc-4.7.1-150200.3.15.1.noarch",
"product": {
"name": "python2-lxml-doc-4.7.1-150200.3.15.1.noarch",
"product_id": "python2-lxml-doc-4.7.1-150200.3.15.1.noarch"
}
},
{
"category": "product_version",
"name": "python3-lxml-doc-4.7.1-150200.3.15.1.noarch",
"product": {
"name": "python3-lxml-doc-4.7.1-150200.3.15.1.noarch",
"product_id": "python3-lxml-doc-4.7.1-150200.3.15.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "python2-lxml-4.7.1-150200.3.15.1.ppc64le",
"product": {
"name": "python2-lxml-4.7.1-150200.3.15.1.ppc64le",
"product_id": "python2-lxml-4.7.1-150200.3.15.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python2-lxml-devel-4.7.1-150200.3.15.1.ppc64le",
"product": {
"name": "python2-lxml-devel-4.7.1-150200.3.15.1.ppc64le",
"product_id": "python2-lxml-devel-4.7.1-150200.3.15.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python3-lxml-4.7.1-150200.3.15.1.ppc64le",
"product": {
"name": "python3-lxml-4.7.1-150200.3.15.1.ppc64le",
"product_id": "python3-lxml-4.7.1-150200.3.15.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python3-lxml-devel-4.7.1-150200.3.15.1.ppc64le",
"product": {
"name": "python3-lxml-devel-4.7.1-150200.3.15.1.ppc64le",
"product_id": "python3-lxml-devel-4.7.1-150200.3.15.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "python2-lxml-4.7.1-150200.3.15.1.s390x",
"product": {
"name": "python2-lxml-4.7.1-150200.3.15.1.s390x",
"product_id": "python2-lxml-4.7.1-150200.3.15.1.s390x"
}
},
{
"category": "product_version",
"name": "python2-lxml-devel-4.7.1-150200.3.15.1.s390x",
"product": {
"name": "python2-lxml-devel-4.7.1-150200.3.15.1.s390x",
"product_id": "python2-lxml-devel-4.7.1-150200.3.15.1.s390x"
}
},
{
"category": "product_version",
"name": "python3-lxml-4.7.1-150200.3.15.1.s390x",
"product": {
"name": "python3-lxml-4.7.1-150200.3.15.1.s390x",
"product_id": "python3-lxml-4.7.1-150200.3.15.1.s390x"
}
},
{
"category": "product_version",
"name": "python3-lxml-devel-4.7.1-150200.3.15.1.s390x",
"product": {
"name": "python3-lxml-devel-4.7.1-150200.3.15.1.s390x",
"product_id": "python3-lxml-devel-4.7.1-150200.3.15.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "python2-lxml-4.7.1-150200.3.15.1.x86_64",
"product": {
"name": "python2-lxml-4.7.1-150200.3.15.1.x86_64",
"product_id": "python2-lxml-4.7.1-150200.3.15.1.x86_64"
}
},
{
"category": "product_version",
"name": "python2-lxml-devel-4.7.1-150200.3.15.1.x86_64",
"product": {
"name": "python2-lxml-devel-4.7.1-150200.3.15.1.x86_64",
"product_id": "python2-lxml-devel-4.7.1-150200.3.15.1.x86_64"
}
},
{
"category": "product_version",
"name": "python3-lxml-4.7.1-150200.3.15.1.x86_64",
"product": {
"name": "python3-lxml-4.7.1-150200.3.15.1.x86_64",
"product_id": "python3-lxml-4.7.1-150200.3.15.1.x86_64"
}
},
{
"category": "product_version",
"name": "python3-lxml-devel-4.7.1-150200.3.15.1.x86_64",
"product": {
"name": "python3-lxml-devel-4.7.1-150200.3.15.1.x86_64",
"product_id": "python3-lxml-devel-4.7.1-150200.3.15.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Micro 5.3",
"product": {
"name": "SUSE Linux Enterprise Micro 5.3",
"product_id": "SUSE Linux Enterprise Micro 5.3",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-micro:5.3"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Micro 5.4",
"product": {
"name": "SUSE Linux Enterprise Micro 5.4",
"product_id": "SUSE Linux Enterprise Micro 5.4",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-micro:5.4"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-lxml-4.7.1-150200.3.15.1.aarch64 as component of SUSE Linux Enterprise Micro 5.3",
"product_id": "SUSE Linux Enterprise Micro 5.3:python3-lxml-4.7.1-150200.3.15.1.aarch64"
},
"product_reference": "python3-lxml-4.7.1-150200.3.15.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Micro 5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-lxml-4.7.1-150200.3.15.1.s390x as component of SUSE Linux Enterprise Micro 5.3",
"product_id": "SUSE Linux Enterprise Micro 5.3:python3-lxml-4.7.1-150200.3.15.1.s390x"
},
"product_reference": "python3-lxml-4.7.1-150200.3.15.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Micro 5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-lxml-4.7.1-150200.3.15.1.x86_64 as component of SUSE Linux Enterprise Micro 5.3",
"product_id": "SUSE Linux Enterprise Micro 5.3:python3-lxml-4.7.1-150200.3.15.1.x86_64"
},
"product_reference": "python3-lxml-4.7.1-150200.3.15.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Micro 5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-lxml-4.7.1-150200.3.15.1.aarch64 as component of SUSE Linux Enterprise Micro 5.4",
"product_id": "SUSE Linux Enterprise Micro 5.4:python3-lxml-4.7.1-150200.3.15.1.aarch64"
},
"product_reference": "python3-lxml-4.7.1-150200.3.15.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Micro 5.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-lxml-4.7.1-150200.3.15.1.s390x as component of SUSE Linux Enterprise Micro 5.4",
"product_id": "SUSE Linux Enterprise Micro 5.4:python3-lxml-4.7.1-150200.3.15.1.s390x"
},
"product_reference": "python3-lxml-4.7.1-150200.3.15.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Micro 5.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-lxml-4.7.1-150200.3.15.1.x86_64 as component of SUSE Linux Enterprise Micro 5.4",
"product_id": "SUSE Linux Enterprise Micro 5.4:python3-lxml-4.7.1-150200.3.15.1.x86_64"
},
"product_reference": "python3-lxml-4.7.1-150200.3.15.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Micro 5.4"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-41066",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-41066"
}
],
"notes": [
{
"category": "general",
"text": "lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files. Setting the resolve_entities option explicitly to resolve_entities=\u0027internal\u0027 or resolve_entities=False disables the local file access. This vulnerability is fixed in 6.1.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Micro 5.3:python3-lxml-4.7.1-150200.3.15.1.aarch64",
"SUSE Linux Enterprise Micro 5.3:python3-lxml-4.7.1-150200.3.15.1.s390x",
"SUSE Linux Enterprise Micro 5.3:python3-lxml-4.7.1-150200.3.15.1.x86_64",
"SUSE Linux Enterprise Micro 5.4:python3-lxml-4.7.1-150200.3.15.1.aarch64",
"SUSE Linux Enterprise Micro 5.4:python3-lxml-4.7.1-150200.3.15.1.s390x",
"SUSE Linux Enterprise Micro 5.4:python3-lxml-4.7.1-150200.3.15.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-41066",
"url": "https://www.suse.com/security/cve/CVE-2026-41066"
},
{
"category": "external",
"summary": "SUSE Bug 1263254 for CVE-2026-41066",
"url": "https://bugzilla.suse.com/1263254"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Micro 5.3:python3-lxml-4.7.1-150200.3.15.1.aarch64",
"SUSE Linux Enterprise Micro 5.3:python3-lxml-4.7.1-150200.3.15.1.s390x",
"SUSE Linux Enterprise Micro 5.3:python3-lxml-4.7.1-150200.3.15.1.x86_64",
"SUSE Linux Enterprise Micro 5.4:python3-lxml-4.7.1-150200.3.15.1.aarch64",
"SUSE Linux Enterprise Micro 5.4:python3-lxml-4.7.1-150200.3.15.1.s390x",
"SUSE Linux Enterprise Micro 5.4:python3-lxml-4.7.1-150200.3.15.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Micro 5.3:python3-lxml-4.7.1-150200.3.15.1.aarch64",
"SUSE Linux Enterprise Micro 5.3:python3-lxml-4.7.1-150200.3.15.1.s390x",
"SUSE Linux Enterprise Micro 5.3:python3-lxml-4.7.1-150200.3.15.1.x86_64",
"SUSE Linux Enterprise Micro 5.4:python3-lxml-4.7.1-150200.3.15.1.aarch64",
"SUSE Linux Enterprise Micro 5.4:python3-lxml-4.7.1-150200.3.15.1.s390x",
"SUSE Linux Enterprise Micro 5.4:python3-lxml-4.7.1-150200.3.15.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-22T12:16:03Z",
"details": "moderate"
}
],
"title": "CVE-2026-41066"
}
]
}
WID-SEC-W-2026-1219
Vulnerability from csaf_certbund - Published: 2026-04-21 22:00 - Updated: 2026-05-25 22:00Summary
lxml: Schwachstelle ermöglicht Offenlegung von Informationen
Severity
Mittel
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: lxml ist ein XML-Toolkit für Python, das die C-Bibliotheken libxml2 und libxslt verwendet.
Angriff: Ein entfernter, anonymer Angreifer kann eine Schwachstelle in lxml ausnutzen, um Informationen offenzulegen.
Betroffene Betriebssysteme: - Linux
- Sonstiges
- UNIX
- Windows
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
Open Source lxml <6.1.0
Open Source / lxml
|
<6.1.0 | ||
|
SUSE openSUSE
SUSE
|
cpe:/o:suse:opensuse:-
|
— |
References
7 references
{
"document": {
"aggregate_severity": {
"text": "mittel"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "lxml ist ein XML-Toolkit f\u00fcr Python, das die C-Bibliotheken libxml2 und libxslt verwendet.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in lxml ausnutzen, um Informationen offenzulegen.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux\n- Sonstiges\n- UNIX\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2026-1219 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-1219.json"
},
{
"category": "self",
"summary": "WID-SEC-2026-1219 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1219"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-vfmq-68hx-4jfw vom 2026-04-21",
"url": "https://github.com/advisories/GHSA-vfmq-68hx-4jfw"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:21587-1 vom 2026-05-15",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/026043.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:21603-1 vom 2026-05-15",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/026035.html"
},
{
"category": "external",
"summary": "openSUSE Security Update OPENSUSE-SU-2026:20737-1 vom 2026-05-19",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/GE75XYXY72AF6SBZYWIEL2UV5MOWPSN3/"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:21731-1 vom 2026-05-22",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/026268.html"
}
],
"source_lang": "en-US",
"title": "lxml: Schwachstelle erm\u00f6glicht Offenlegung von Informationen",
"tracking": {
"current_release_date": "2026-05-25T22:00:00.000+00:00",
"generator": {
"date": "2026-05-26T12:16:35.990+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.6.0"
}
},
"id": "WID-SEC-W-2026-1219",
"initial_release_date": "2026-04-21T22:00:00.000+00:00",
"revision_history": [
{
"date": "2026-04-21T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2026-04-26T22:00:00.000+00:00",
"number": "2",
"summary": "Referenz(en) aufgenommen: EUVD-2026-25572"
},
{
"date": "2026-05-14T22:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2026-05-18T22:00:00.000+00:00",
"number": "4",
"summary": "Neue Updates von openSUSE aufgenommen"
},
{
"date": "2026-05-25T22:00:00.000+00:00",
"number": "5",
"summary": "Neue Updates von SUSE aufgenommen"
}
],
"status": "final",
"version": "5"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c6.1.0",
"product": {
"name": "Open Source lxml \u003c6.1.0",
"product_id": "T053184"
}
},
{
"category": "product_version",
"name": "6.1.0",
"product": {
"name": "Open Source lxml 6.1.0",
"product_id": "T053184-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:lxml:lxml:6.1.0"
}
}
}
],
"category": "product_name",
"name": "lxml"
}
],
"category": "vendor",
"name": "Open Source"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux",
"product": {
"name": "SUSE Linux",
"product_id": "T002207",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse_linux:-"
}
}
},
{
"category": "product_name",
"name": "SUSE openSUSE",
"product": {
"name": "SUSE openSUSE",
"product_id": "T027843",
"product_identification_helper": {
"cpe": "cpe:/o:suse:opensuse:-"
}
}
}
],
"category": "vendor",
"name": "SUSE"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-41066",
"product_status": {
"known_affected": [
"T002207",
"T053184",
"T027843"
]
},
"release_date": "2026-04-21T22:00:00.000+00:00",
"title": "CVE-2026-41066"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…