Bug 2461613 (CVE-2026-41066)
| Summary: | CVE-2026-41066 lxml: python: lxml: Information disclosure via untrusted XML input leading to local file read | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | adudiak, alinfoot, anthomas, bdettelb, caswilli, derez, dfreiber, doconnor, dranck, drow, dschmidt, dtrifiro, ehelms, erezende, ggainey, jburrell, jkoehler, jlanda, jsamir, juwatts, kaycoth, kshier, lbrazdil, ljawale, lphiri, luizcosta, mhulan, mminar, nmoumoul, nweather, osousa, pakotvan, pcreech, rbiba, rbobbitt, rbryant, rchan, rhel-process-autobot, rjohnson, simaishi, smallamp, smcdonal, sskracic, stcannon, sthirugn, teagle, tmalecek, tpfromme, vkumar, watson-tool-maintainers, weaton, yguenane |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in lxml, a library for processing XML and HTML in Python. A remote attacker can exploit this vulnerability by sending untrusted XML input to an application using lxml's default parser configuration. This allows the attacker to read local files on the system, leading to information disclosure.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
OSIDB Bzimport
2026-04-24 18:02:09 UTC
|