Amazon Linux 2 Security Advisory: ALAS2-2026-3297
Advisory Released Date: 2026-05-14
Advisory Updated Date: 2026-05-14
Severity:
Important
Issue Overview:
lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files. Setting the resolve_entities option explicitly to resolve_entities='internal' or resolve_entities=False disables the local file access. This vulnerability is fixed in 6.1.0. (CVE-2026-41066)
Affected Packages:
python-lxml
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update python-lxml or yum update --advisory ALAS2-2026-3297 to update your system.
New Packages:
aarch64:
python-lxml-3.2.1-4.amzn2.0.8.aarch64
python3-lxml-3.2.1-4.amzn2.0.8.aarch64
python-lxml-debuginfo-3.2.1-4.amzn2.0.8.aarch64
i686:
python-lxml-3.2.1-4.amzn2.0.8.i686
python3-lxml-3.2.1-4.amzn2.0.8.i686
python-lxml-debuginfo-3.2.1-4.amzn2.0.8.i686
noarch:
python-lxml-docs-3.2.1-4.amzn2.0.8.noarch
src:
python-lxml-3.2.1-4.amzn2.0.8.src
x86_64:
python-lxml-3.2.1-4.amzn2.0.8.x86_64
python3-lxml-3.2.1-4.amzn2.0.8.x86_64
python-lxml-debuginfo-3.2.1-4.amzn2.0.8.x86_64