Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') Affecting ultimate-sitemap-parser package, versions [,1.8.1)


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PYTHON-ULTIMATESITEMAPPARSER-17675204
  • published29 Jun 2026
  • disclosed19 Jun 2026
  • creditUnknown

Introduced: 19 Jun 2026

New CVE NOT AVAILABLE CWE-776  (opens in a new tab)

How to fix?

Upgrade ultimate-sitemap-parser to version 1.8.1 or higher.

Overview

ultimate-sitemap-parser is an A performant library for parsing and crawling sitemaps

Affected versions of this package are vulnerable to Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') through the sitemap_tree_for_homepage and sitemap_from_str functions when parsing attacker-controlled XML content without restrictions on DTD declarations or recursive entity references. An attacker can cause unbounded CPU and memory consumption by supplying a malicious XML payload with deeply nested entity expansions.

References

CVSS Base Scores

version 4.0
version 3.1