CVE-2026-58501
Received
Received - Intake
Zeep Python SOAP Client External Entity Injection via WSDL/XSD
Vulnerability report for CVE-2026-58501, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-07-08
Last updated on: 2026-07-08
Assigner: GitHub, Inc.
Description
Description
Zeep is a Python SOAP client. From 4.0.0 before 4.3.3, Settings.forbid_external is defined but not enforced when parsing WSDL or XSD documents, allowing transitive xsd:import, xsd:include, wsdl:import, and lxml entity or DTD references to fetch attacker-chosen HTTP or HTTPS URLs. This issue is fixed in version 4.3.3.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mikael_ΓΆrn | zeep | to 4.3.3 (exc) |
| mikael_ΓΆrn | zeep | 4.3.3 |
| mvantellingen | python-zeep | From 4.0.0 (inc) to 4.3.3 (exc) |
| mvantellingen | python-zeep | 4.3.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |