VDB
KO

PYSEC-2026-2058

xml2rfc has an arbitrary file read vulnerability

Details

### Impact When generating PDF files, this vulnerability allows an attacker to read arbitrary files from the filesystem by injecting malicious link element into the XML.

### Workarounds Test untrusted input with `link` elements with `rel="attachment"` before processing.

### Credits This vulnerability was reported by Mohamed Ouad from [Doyensec](https://doyensec.com/).

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / xml2rfc
Introduced in: 0 Fixed in: 3.30.1
Fix pip install --upgrade 'xml2rfc>=3.30.1'

References