VDB
KO

PYSEC-2026-2057

xml2rfc is vulnerable to arbitrary file reads through prepped files

Details

### Impact

When generating PDF files, this vulnerability allows an attacker to read arbitrary files from the filesystem by injecting malicious link element into the prepped RFCXML.

### Workarounds

Test untrusted input with `link` elements with `rel="attachment"` before processing.

### References This is related to [GHSA-cfmv-h8fx-85m7](https://github.com/ietf-tools/xml2rfc/security/advisories/GHSA-cfmv-h8fx-85m7).

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / xml2rfc
Introduced in: 0 Fixed in: 3.30.2
Fix pip install --upgrade 'xml2rfc>=3.30.2'

References