—
PYSEC-2026-2058
xml2rfc has an arbitrary file read vulnerability
Details
### Impact When generating PDF files, this vulnerability allows an attacker to read arbitrary files from the filesystem by injecting malicious link element into the XML.
### Workarounds Test untrusted input with `link` elements with `rel="attachment"` before processing.
### Credits This vulnerability was reported by Mohamed Ouad from [Doyensec](https://doyensec.com/).
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://github.com/ietf-tools/xml2rfc/security/advisories/GHSA-cfmv-h8fx-85m7 [WEB]
- https://github.com/ietf-tools/xml2rfc/commit/f2b245bc0aeeac0667c8f74e976c466c5991f0e4 [WEB]
- https://github.com/ietf-tools/xml2rfc [PACKAGE]
- https://pypi.org/project/xml2rfc [PACKAGE]
- https://github.com/advisories/GHSA-cfmv-h8fx-85m7 [ADVISORY]
- https://nvd.nist.gov/vuln/detail/CVE-2025-11058 [ADVISORY]