{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-41066/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["lxml library"],"_cs_severities":["high"],"_cs_tags":["lxml","XXE","vulnerability","CVE-2026-41066"],"_cs_type":"advisory","_cs_vendors":["lxml"],"content_html":"\u003cp\u003eThe lxml library, a widely used XML and HTML processing library for Python, is vulnerable to XML External Entity (XXE) injection attacks in versions prior to 6.1.0. This vulnerability specifically affects the \u003ccode\u003eiterparse()\u003c/code\u003e and \u003ccode\u003eETCompatXMLParser()\u003c/code\u003e functions when used with their default configuration, where \u003ccode\u003eresolve_entities\u003c/code\u003e is set to \u003ccode\u003eTrue\u003c/code\u003e. This default setting allows an attacker to supply a specially crafted XML document that can force the parser to read arbitrary local files. This vulnerability was addressed in lxml 6.1.0 by changing the default \u003ccode\u003eresolve_entities\u003c/code\u003e setting to \u003ccode\u003e'internal'\u003c/code\u003e, mitigating the risk of local file access. The original report can be found at \u003ca href=\"https://bugs.launchpad.net/lxml/+bug/2146291\"\u003ehttps://bugs.launchpad.net/lxml/+bug/2146291\u003c/a\u003e. This vulnerability is identified as CVE-2026-41066.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious XML document containing an external entity declaration. This declaration points to a local file path.\u003c/li\u003e\n\u003cli\u003eThe attacker submits the crafted XML document to an application that uses the vulnerable \u003ccode\u003elxml.iterparse()\u003c/code\u003e or \u003ccode\u003elxml.ETCompatXMLParser()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe vulnerable lxml parser, configured with default settings (\u003ccode\u003eresolve_entities=True\u003c/code\u003e), attempts to resolve the external entity.\u003c/li\u003e\n\u003cli\u003eThe parser reads the contents of the local file specified in the external entity declaration.\u003c/li\u003e\n\u003cli\u003eThe application processes the parsed XML data, including the content of the local file.\u003c/li\u003e\n\u003cli\u003eThe application may then display the file contents to the attacker or use it in further processing.\u003c/li\u003e\n\u003cli\u003eIf the application is running with elevated privileges, the attacker might be able to read sensitive system files.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation can lead to information disclosure and potentially further compromise of the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this XXE vulnerability can lead to the disclosure of sensitive information stored on the server's local file system. This could include configuration files, application source code, or even sensitive data. The number of potential victims is dependent on the prevalence of vulnerable lxml library versions (\u0026lt; 6.1.0) in applications that process untrusted XML input using \u003ccode\u003eiterparse()\u003c/code\u003e or \u003ccode\u003eETCompatXMLParser()\u003c/code\u003e with default settings. The sectors impacted are broad, as lxml is a general-purpose library used in a wide variety of applications.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the lxml library to version 6.1.0 or later to patch CVE-2026-41066.\u003c/li\u003e\n\u003cli\u003eExplicitly set the \u003ccode\u003eresolve_entities\u003c/code\u003e option to \u003ccode\u003e'internal'\u003c/code\u003e or \u003ccode\u003eFalse\u003c/code\u003e when using \u003ccode\u003elxml.iterparse()\u003c/code\u003e or \u003ccode\u003elxml.ETCompatXMLParser()\u003c/code\u003e to disable local file access, as described in the advisory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect lxml XXE via iterparse or ETCompatXMLParser\u003c/code\u003e to identify potential XXE attacks targeting vulnerable lxml versions.\u003c/li\u003e\n\u003cli\u003eReview application code that uses lxml to ensure proper handling of XML input and prevent the processing of untrusted external entities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-lxml-xxe/","summary":"lxml versions before 6.1.0 are vulnerable to XML External Entity (XXE) attacks when using iterparse() or ETCompatXMLParser() with default settings, potentially allowing local file reads.","title":"lxml Library Vulnerable to XXE Attacks via iterparse() and ETCompatXMLParser()","url":"https://feed.craftedsignal.io/briefs/2024-01-03-lxml-xxe/"}],"language":"en","title":"CraftedSignal Threat Feed - CVE-2026-41066","version":"https://jsonfeed.org/version/1.1"}