lxml: Default configuration of iterparse() and ETCompatXMLParser() allows XXE to local files

...

lxml: Default configuration of iterparse() and ETCompatXMLParser() allows XXE to local files

Impact Using either of the two parsers in the default configuration with resolveentities=True allows untrusted XML input to read local files. Patches lxml 6.1.0 changes the default to resolveentities='internal', thus disallowing local file access by default. Workarounds Setting the resolveentitie...

GHSA-VFMQ-68HX-4JFW lxml: Default configuration of iterparse() and ETCompatXMLParser() allows XXE to local files

Impact Using either of the two parsers in the default configuration with resolveentities=True allows untrusted XML input to read local files. Patches lxml 6.1.0 changes the default to resolveentities='internal', thus disallowing local file access by default. Workarounds Setting the resolveentitie...

XML External Entity (XXE) Injection

Overview Affected versions of this package are vulnerable to XML External Entity XXE Injection via insecure use of etree.iterparse parsing. An attacker can access sensitive information by submitting crafted XML payload with referencies to local files. Details XXE Injection is a type of attack...

PT-2025-35896

Name of the Vulnerable Software and Affected Versions: langchain-ai/langchain version 0.3.63 Description: The EverNoteLoader component is susceptible to XML External Entity XXE attacks due to insecure XML parsing. This issue stems from the use of etree.iterparse without disabling external entity...

Huawei EulerOS: Security Advisory for libxml2 (EulerOS-SA-2024-2638)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Huawei EulerOS: Security Advisory for libxml2 (EulerOS-SA-2024-1889)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Updated libxml2 packages fix security vulnerability

NULL Pointer Dereference allows attackers to cause a denial of service or application crash. This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code...

CVE-2022-2309

NULL Pointer Dereference allows attackers to cause a denial of service or application crash. This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code...

CVE-2022-2309

NULL Pointer Dereference allows attackers to cause a denial of service or application crash. This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code...

CVE-2022-2309 NULL Pointer Dereference in lxml/lxml

NULL Pointer Dereference allows attackers to cause a denial of service or application crash. This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code...

CVE-2022-2309

CVE-2022-2309 is a NULL-pointer dereference in libxml2 that can cause denial of service or application crash when used with lxml, specifically affecting libxml2 2.9.10–2.9.14 and related python-lxml usage. The vulnerability stems from the iterwalk function (also used by canonicalize), with potent...

PT-2022-7707 · Lxml +10 · Lxml +10

Name of the Vulnerable Software and Affected Versions: lxml versions 2.9.10 through 2.9.14 Description: The issue allows attackers to cause a denial of service or application crash when lxml is used together with libxml2. It is triggered by forged input data and a vulnerable code sequence in the...