Vulmon
Recent Vulnerabilities
Product List
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
lxml lxml vulnerabilities and exploits
(subscribe to this query)
NA
CVE-2024-37388
An XML External Entity (XXE) vulnerability in the ebookmeta.get_metadata function of lxml before v4.9.1 allows malicious users to access sensitive information or cause a Denial of Service (DoS) via crafted XML input.
7.5
CVSSv3
CVE-2023-27476
OWSLib is a Python package for client programming with Open Geospatial Consortium (OGC) web service interface standards, and their related content models. OWSLib's XML parser (which supports both `lxml` and `xml.etree`) does not disable entity resolution, and could lead to a...
Osgeo Owslib
7.5
CVSSv3
CVE-2022-2309
NULL Pointer Dereference allows malicious users to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 up to and including 2.9.14. libxml2 2.9.9 and previous versions are not affected. It allows triggering crashes thr...
Lxml Lxml
Fedoraproject Fedora 36
Fedoraproject Fedora 37
7.1
CVSSv3
CVE-2021-43818
lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a s...
Lxml Lxml
Fedoraproject Fedora 34
Fedoraproject Fedora 35
Debian Debian Linux 9.0
Debian Debian Linux 10.0
Debian Debian Linux 11.0
Netapp Solidfire -
Netapp Solidfire Enterprise Sds -
Netapp Hci Storage Node Firmware -
Oracle Http Server 12.2.1.3.0
Oracle Http Server 12.2.1.4.0
Oracle Zfs Storage Appliance Kit 8.8
Oracle Communications Cloud Native Core Binding Support Function 22.1.3
Oracle Communications Cloud Native Core Policy 22.2.0
Oracle Communications Cloud Native Core Network Exposure Function 22.1.1
7.5
CVSSv3
CVE-2021-33511
Plone though 5.2.4 allows SSRF via the lxml parser. This affects Diazo themes, Dexterity TTW schemas, and modeleditors in plone.app.theming, plone.app.dexterity, and plone.supermodel.
Plone Plone
6.1
CVSSv3
CVE-2021-28957
An XSS vulnerability exists in python-lxml's clean module versions prior to 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this...
Lxml Lxml
Debian Debian Linux 9.0
Debian Debian Linux 10.0
Fedoraproject Fedora 33
Fedoraproject Fedora 34
Netapp Snapcenter -
Oracle Zfs Storage Appliance Kit 8.8
6.1
CVSSv3
CVE-2020-27783
A XSS vulnerability exists in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code.
Lxml Lxml
Redhat Enterprise Linux 8.0
Redhat Software Collections -
Debian Debian Linux 9.0
Debian Debian Linux 10.0
Fedoraproject Fedora 32
Fedoraproject Fedora 33
Netapp Snapcenter -
Oracle Communications Offline Mediation Controller 12.0.0.3.0
Oracle Zfs Storage Appliance Kit 8.8
1 Github repository
9.8
CVSSv3
CVE-2020-27197
TAXII libtaxii up to and including 1.1.117, as used in EclecticIQ OpenTAXII up to and including 0.2.0 and other products, allows SSRF via an initial http:// substring to the parse method, even when the no_network setting is used for the XML parser. NOTE: the vendor points out tha...
Libtaxii Project Libtaxii
Eclecticiq Opentaxii
6.1
CVSSv3
CVE-2018-19787
An issue exists in lxml prior to 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote malicious user to conduct XSS attacks, as demonstrated by "j a v a s c r i p t:" in Internet Explorer. This is ...
Lxml Lxml
Debian Debian Linux 8.0
Canonical Ubuntu Linux 16.04
Canonical Ubuntu Linux 14.04
Canonical Ubuntu Linux 12.04
Canonical Ubuntu Linux 18.04
NA
CVE-2014-3146
Incomplete blacklist vulnerability in the lxml.html.clean module in lxml prior to 3.3.5 allows remote malicious users to conduct cross-site scripting (XSS) attacks via control characters in the link scheme to the clean_html function.
Lxml Lxml 2.1.4
Lxml Lxml 2.0.8
Lxml Lxml 2.1.1
Lxml Lxml 1.1.2
Lxml Lxml 3.1.2
Lxml Lxml 3.2.1
Lxml Lxml 2.0.1
Lxml Lxml 3.3.0
Lxml Lxml 3.1
Lxml Lxml 3.3.3
Lxml Lxml 2.1
Lxml Lxml 3.3.1
Lxml Lxml 3.2.3
Lxml Lxml 1.0
Lxml Lxml 2.0.10
Lxml Lxml 3.0
Lxml Lxml 1.3.2
Lxml Lxml 2.3.4
Lxml Lxml 2.2
Lxml Lxml 2.3.6
Lxml Lxml 1.2
Lxml Lxml 2.2.8
1 EDB exploit
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
type confusion
IMAP
CVE-2024-36103
CVE-2024-28995
CVE-2024-37325
CVE-2024-30078
CVE-2024-30082
SQL injection
CVE-2024-30052
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started