CVE-2026-41066 Common Vulnerabilities and Exposures

Upstream information

CVE-2026-41066 at MITRE

Description

lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files. Setting the resolve_entities option explicitly to resolve_entities='internal' or resolve_entities=False disables the local file access. This vulnerability is fixed in 6.1.0.

SUSE information

Overall state of this security issue: Does not affect SUSE products

No SUSE Bugzilla entries cross referenced.

No SUSE Security Announcements cross referenced.

List of released packages

Product(s)	Fixed package version(s)	References
openSUSE Tumbleweed	`python-lxml-doc >= 6.1.0-1.1` `python311-lxml >= 6.1.0-1.1` `python311-lxml-devel >= 6.1.0-1.1` `python313-lxml >= 6.1.0-1.1` `python313-lxml-devel >= 6.1.0-1.1` `python314-lxml >= 6.1.0-1.1` `python314-lxml-devel >= 6.1.0-1.1`	Patchnames: openSUSE-Tumbleweed-2026-10596

SUSE Timeline for this CVE

CVE page created: Wed Apr 22 12:59:01 2026
CVE page last modified: Fri Apr 24 22:55:01 2026