All lxml CVEs — Complete Vulnerability History
lxml is Python's XML and HTML processing library, wrapping libxml2 and libxslt. Similar to Nokogiri in Ruby, its CVE history often reflects upstream C library vulnerabilities.
PyPI
30M+ weekly downloads
2 CVEs total
Full CVE history
| CVE | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2021-28957 | 2021 | MEDIUM | XSS via HTML cleanup | Fixed 4.6.3 |
| CVE-2022-2309 | 2022 | HIGH | NULL pointer dereference via crafted XML | Fixed 4.9.3 |
Current safe version: 5.2.1
# Before lxml==4.9.3
# After lxml==5.2.1
Then run: pip install -r requirements.txt
Paste your manifest — get a fixed version with all CVEs patched in seconds.
Open PackageFix →Free · No signup · No CLI · Runs in your browser
Common questions
Should I use lxml or html.parser for HTML scraping?
lxml is faster and more lenient with malformed HTML. For untrusted HTML, always use lxml's HTML cleaner or bleach to sanitize before rendering.