Security: Upgrade lxml dependency to >=6.1.0 to fix XXE vulnerability (CVE-2026-41066 / Safety ID 94243)

[krishnendu]

Security: Upgrade lxml dependency to >=6.1.0 to fix XXE vulnerability (CVE-2026-41066 / Safety ID 94243)

Summary

A high-severity security vulnerability has been identified in the lxml dependency used by python-xmlsec. The vulnerability allows XML External Entity (XXE) Injection, which can enable an attacker to read sensitive local files from the host system.

Status

✅ Already fixed in master — The dependency update has been merged into the master branch, however a new release has not yet been published to PyPI. Users relying on the latest stable release are still exposed to this vulnerability until a new version is tagged and released.

Please consider cutting a new release so downstream users can pick up the fix without having to pin to master.

Vulnerability Details

Field	Details
Safety ID	94243 (pyup.io-94243)
CVE	CVE-2026-41066
GHSA	GHSA-vfmq-68hx-4jfw
Severity	🔴 High (CVSS 7.5)
CWE	CWE-611 (Improper Restriction of XML External Entity Reference)
Affected Package	lxml < 6.1.0
Fix	Upgrade lxml to >= 6.1.0

Description

Affected versions of lxml are vulnerable to XML External Entity Injection due to insecure default parser configuration. Both iterparse() and ETCompatXMLParser() default to resolve_entities=True, meaning untrusted XML input processed through either parser will expand external entity references and potentially read referenced local files.

An attacker who supplies a crafted XML document to an application using these parsers in their default configuration can read sensitive local files and exfiltrate their contents through the parsed output.

Since python-xmlsec processes XML documents and relies on lxml, users of this library may be exposed to this vulnerability.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Metric	Value
Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User Interaction	None
Confidentiality Impact	High
Integrity Impact	None
Availability Impact	None

Note: The fix is already merged into the master branch but has not yet been published as a release on PyPI.
A new tagged release is needed so downstream consumers can receive the patch through normal package management.

References

• Safety Vulnerability Database - 94243
• NVD - CVE-2026-41066
• GitHub Advisory GHSA-vfmq-68hx-4jfw
• lxml 6.1.0 Release
• lxml Security Advisory

[mxamin]

I don't see how it's relevant to python-xmlsec. Although lxml is one of the requirements of python-xmlsec, but it's not fixed to a specific version. You can simply use lxml==6.1.0 with xmlsec==1.3.17.
I'll bump the requirements later to 6.1.1 but that vulnerability is not related to this library.
Let me know if I'm missing anything?