Source: python-zeep
Version: 4.3.2-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for python-zeep.

CVE-2026-58501[0]:
| Zeep is a Python SOAP client. From 4.0.0 before 4.3.3,
| Settings.forbid_external is defined but not enforced when parsing
| WSDL or XSD documents, allowing transitive xsd:import, xsd:include,
| wsdl:import, and lxml entity or DTD references to fetch attacker-
| chosen HTTP or HTTPS URLs. This issue is fixed in version 4.3.3.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-58501
    https://www.cve.org/CVERecord?id=CVE-2026-58501
[1] 
https://github.com/mvantellingen/python-zeep/security/advisories/GHSA-4cc2-g9w2-fhf6
[2] 
https://github.com/mvantellingen/python-zeep/commit/83eb07bc6c84d841329d4f88856fecdba86f753e

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply via email to