Skip to content

chore(deps): update dependency lxml to v6.1.0 [security]#556

Merged
renovate[bot] merged 1 commit intomainfrom
renovate/pypi-lxml-vulnerability
Apr 22, 2026
Merged

chore(deps): update dependency lxml to v6.1.0 [security]#556
renovate[bot] merged 1 commit intomainfrom
renovate/pypi-lxml-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Apr 22, 2026

This PR contains the following updates:

Package Change Age Confidence
lxml (source, changelog) 6.0.26.1.0 age confidence

lxml: Default configuration of iterparse() and ETCompatXMLParser() allows XXE to local files

CVE-2026-41066 / GHSA-vfmq-68hx-4jfw

More information

Details

Impact

Using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files.

Patches

lxml 6.1.0 changes the default to resolve_entities='internal', thus disallowing local file access by default.

Workarounds

Setting the resolve_entities option explicitly to resolve_entities='internal' or resolve_entities=False disables the local file access.

Resources

Original report: https://bugs.launchpad.net/lxml/+bug/2146291

The default option was changed to resolve_entities='internal' for the normal XML and HTML parsers in lxml 5.0. The default was not changed for iterparse() and ETCompatXMLParser() at the time. lxml 6.1 makes the safe option the default for all parsers.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

lxml/lxml (lxml)

v6.1.0

Compare Source

==================

This release fixes a possible external entity injection (XXE) vulnerability in
iterparse() and the ETCompatXMLParser.

Features added

  • GH#486: The HTML ARIA accessibility attributes were added to the set of safe attributes
    in lxml.html.defs. This allows lxml_html_clean to pass them through.
    Patch by oomsveta.

  • The default chunk size for reading from file-likes in iterparse() is now configurable
    with a new chunk_size argument.

Bugs fixed

  • LP#2146291: The resolve_entities option was still set to True for
    iterparse and ETCompatXMLParser, allowing for external entity injection (XXE)
    when using these parsers without setting this option explicitly.
    The default was now changed to 'internal' only (as for the normal XML and HTML parsers
    since lxml 5.0).
    Issue found by Sihao Qiu as CVE-2026-41066.

v6.0.4

Compare Source

==================

Bugs fixed

  • LP#2148019: Spurious MemoryError during namespace cleanup.

v6.0.3

Compare Source

==================

Bugs fixed

  • Several out of memory error cases now raise MemoryError that were not handled before.

  • Slicing with large step values (outside of +/- sys.maxsize) could trigger undefined C behaviour.

  • LP#2125399: Some failing tests were fixed or disabled in PyPy.

  • LP#2138421: Memory leak in error cases when setting the public_id or system_url of a document.

  • Memory leak in case of a memory allocation failure when copying document subtrees.

  • When mapping an XPath result to Python failed, the result memory could leak.

  • When preparing an XSLT transform failed, the XSLT parameter memory could leak.

Other changes

  • Built using Cython 3.2.4.

  • Binary wheels use zlib 1.3.2.

Configuration

📅 Schedule: (in timezone Europe/Berlin)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added bot Automated pull requests or issues dependencies Pull requests that update a dependency file renovate Pull requests from Renovate skip:codecov Skip Codecov reporting and check skip:test:long_running Skip long-running tests (≥5min) labels Apr 22, 2026
@renovate renovate Bot added dependencies Pull requests that update a dependency file bot Automated pull requests or issues renovate Pull requests from Renovate skip:test:long_running Skip long-running tests (≥5min) skip:codecov Skip Codecov reporting and check labels Apr 22, 2026
@renovate renovate Bot enabled auto-merge (squash) April 22, 2026 03:06
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Apr 22, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@renovate renovate Bot merged commit 12ec0c7 into main Apr 22, 2026
32 of 35 checks passed
@renovate renovate Bot deleted the renovate/pypi-lxml-vulnerability branch April 22, 2026 03:27
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@helmut-hoffer-von-ankershoffen helmut-hoffer-von-ankershoffen Awaiting requested review from helmut-hoffer-von-ankershoffen helmut-hoffer-von-ankershoffen is a code owner

Assignees

No one assigned

Labels

bot Automated pull requests or issues dependencies Pull requests that update a dependency file renovate Pull requests from Renovate skip:codecov Skip Codecov reporting and check skip:test:long_running Skip long-running tests (≥5min)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants