Back to overview

CVE-2026-58501

MEDIUM
5.9
CVSS 3.1
Description
Zeep is a Python SOAP client. From 4.0.0 before 4.3.3, Settings.forbid_external is defined but not enforced when parsing WSDL or XSD documents, allowing transitive xsd:import, xsd:include, wsdl:import, and lxml entity or DTD references to fetch attacker-chosen HTTP or HTTPS URLs. This issue is fixed in version 4.3.3.

Metadata

CVE ID
CVE-2026-58501
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-30 20:21 UTC
Published
2026-07-08 19:31 UTC
Last updated
2026-07-09 13:20 UTC
Primary CWE
CWE-918
CWE-918: Server-Side Request Forgery (SSRF)
Vendor / Product
mvantellingen / python-zeep
Sources
cve.org  ·  NVD

Severity & Metrics

5.9 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
SSVC — CISA Coordinator
Exploitation
none
Automatable
no
Tech. Impact
partial
Affected products (1)
VendorProductPlatformVersions
mvantellingen python-zeep >= 4.0.0, < 4.3.3
Weakness (CWE)
CWESourceDescription
CWE-918 cna CWE-918: Server-Side Request Forgery (SSRF)
CVSS scores (1)
ScoreSeverityVersionSourceVector
5.9 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
References (3)
Back to overview