Home / Vulnerability Intelligence / CVE-2026-41066

CVE-2026-41066 - Vulnerability Analysis

HighCVSS: 7.5

Last Updated: April 27, 2026

lxml - XML External Entity Injection

Published: April 24, 2026Updated: April 27, 2026PoC AvailableRemote Exploitable

Overview

lxml < 6.1.0 contains an XML external entity injection caused by default parser configuration with resolve_entities=True, letting attackers read local files, exploit requires untrusted XML input.

Severity & Score

Severity: High

CVSS Score: 7.5

EPSS Score: 3.2%(Probability of exploitation in next 30 days)

Impact

Attackers can read local files, potentially exposing sensitive information.

Mitigation

Update to version 6.1.0 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Apr 24, 2026

🟠 CVE-2026-41066 - High (7.5) lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files. Setting the resolve_ent... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41066/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-41066
Severity: High
CVSS Score: 7.5
Type: xml_external_entity_injection
Status: confirmed
EPSS: 3.2%
Social Posts: 1

CWE

CWE-611

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score

3.2%Probability of exploitation in the next 30 days