Is lxml affected by CVE-2026-41066?

PyPI lxml is affected in <6.1.0.

Is CVE-2026-41066 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.3%.

high

CVE-2026-41066

Q: Is CVE-2026-41066 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.3%.

PyPI · lxml

Summary

lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files. Setting the resolve_entities option explicitly to resolve_entities='internal

Severity: high
EPSS: 0.3% (p17)
Also known as: GHSA-vfmq-68hx-4jfw, PYSEC-2026-87
Published: 2026-04-24

References

https://github.com/lxml/lxml/security/advisories/GHSA-vfmq-68hx-4jfw
https://bugs.launchpad.net/lxml/+bug/2146291

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Check my repo

Summarize with AI

ChatGPT Claude Perplexity

Sources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.