Nixpkgs security tracker
7.5 HIGH
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): NONE
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): HIGH
- Integrity impact (I): NONE
- Availability impact (A): NONE
by @LeSuisse Activity log
- Created automatic suggestion
-
@LeSuisse
ignored
9 packages
- python312Packages.types-lxml
- python313Packages.types-lxml
- python314Packages.types-lxml
- python312Packages.lxml-html-clean
- python313Packages.lxml-html-clean
- python314Packages.lxml-html-clean
- python312Packages.readability-lxml
- python313Packages.readability-lxml
- python314Packages.readability-lxml
- @LeSuisse accepted
- @LeSuisse published on GitHub
lxml: Default configuration of iterparse() and ETCompatXMLParser() allows XXE to local files
lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files. Setting the resolve_entities option explicitly to resolve_entities='internal' or resolve_entities=False disables the local file access. This vulnerability is fixed in 6.1.0.
References
-
https://github.com/lxml/lxml/security/advisories/GHSA-vfmq-68hx-4jfw x_refsource_CONFIRM
-
https://bugs.launchpad.net/lxml/+bug/2146291 x_refsource_MISC
Affected products
- ==< 6.1.0
Matching in nixpkgs
pkgs.python312Packages.lxml
Pythonic binding for the libxml2 and libxslt libraries
pkgs.python313Packages.lxml
Pythonic binding for the libxml2 and libxslt libraries
pkgs.python314Packages.lxml
Pythonic binding for the libxml2 and libxslt libraries
Ignored packages (9)
pkgs.python312Packages.types-lxml
Complete lxml external type annotation
-
nixos-25.11 2025.08.25
- nixos-25.11-small 2025.08.25
- nixpkgs-25.11-darwin 2025.08.25
pkgs.python313Packages.types-lxml
Complete lxml external type annotation
-
nixos-unstable 2026.01.01
- nixpkgs-unstable 2026.01.01
- nixos-unstable-small 2026.01.01
-
nixos-25.11 2025.08.25
- nixos-25.11-small 2025.08.25
- nixpkgs-25.11-darwin 2025.08.25
pkgs.python314Packages.types-lxml
Complete lxml external type annotation
-
nixos-unstable 2026.01.01
- nixpkgs-unstable 2026.01.01
- nixos-unstable-small 2026.01.01
pkgs.python312Packages.lxml-html-clean
Separate project for HTML cleaning functionalities copied from lxml.html.clean
pkgs.python313Packages.lxml-html-clean
Separate project for HTML cleaning functionalities copied from lxml.html.clean
pkgs.python314Packages.lxml-html-clean
Separate project for HTML cleaning functionalities copied from lxml.html.clean
pkgs.python312Packages.readability-lxml
Fast python port of arc90's readability tool
pkgs.python313Packages.readability-lxml
Fast python port of arc90's readability tool
pkgs.python314Packages.readability-lxml
Fast python port of arc90's readability tool