—
PYSEC-2026-2057
xml2rfc is vulnerable to arbitrary file reads through prepped files
상세
### Impact
When generating PDF files, this vulnerability allows an attacker to read arbitrary files from the filesystem by injecting malicious link element into the prepped RFCXML.
### Workarounds
Test untrusted input with `link` elements with `rel="attachment"` before processing.
### References This is related to [GHSA-cfmv-h8fx-85m7](https://github.com/ietf-tools/xml2rfc/security/advisories/GHSA-cfmv-h8fx-85m7).
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
참고
- https://github.com/ietf-tools/xml2rfc/security/advisories/GHSA-9mv7-3c64-mmqw [WEB]
- https://github.com/ietf-tools/xml2rfc/commit/73fb1c91fc62ac540bb6bd24f982f2becf84c1b0 [WEB]
- https://github.com/ietf-tools/xml2rfc [PACKAGE]
- https://github.com/ietf-tools/xml2rfc/releases/tag/v3.30.2 [WEB]
- https://pypi.org/project/xml2rfc [PACKAGE]
- https://github.com/advisories/GHSA-9mv7-3c64-mmqw [ADVISORY]
- https://nvd.nist.gov/vuln/detail/CVE-2025-11059 [ADVISORY]