CVE-2026-58501

Zeep is a Python SOAP client. From 4.0.0 before 4.3.3, Settings.forbid_external is defined but not enforced when parsing WSDL or XSD documents, allowing transitive xsd:import, xsd:include, wsdl:import, and lxml entity or DTD references to fetch attacker-chosen HTTP or HTTPS URLs. This issue is fixed in version 4.3.3.
Configurations

Configuration 1 (hide)

cpe:2.3:a:python-zeep:zeep:*:*:*:*:*:python:*:*

History

10 Jul 2026, 18:15

Type Values Removed Values Added
CPE cpe:2.3:a:mvantellingen:zeep:*:*:*:*:*:python:*:* cpe:2.3:a:python-zeep:zeep:*:*:*:*:*:python:*:*
First Time Python-zeep
Python-zeep zeep
References () https://github.com/mvantellingen/python-zeep/security/advisories/GHSA-4cc2-g9w2-fhf6 - Vendor Advisory, Mitigation, Patch () https://github.com/mvantellingen/python-zeep/security/advisories/GHSA-4cc2-g9w2-fhf6 - Mitigation, Patch, Vendor Advisory

10 Jul 2026, 17:20

Type Values Removed Values Added
First Time Mvantellingen zeep
Mvantellingen
References () https://github.com/mvantellingen/python-zeep/commit/83eb07bc6c84d841329d4f88856fecdba86f753e - () https://github.com/mvantellingen/python-zeep/commit/83eb07bc6c84d841329d4f88856fecdba86f753e - Patch
References () https://github.com/mvantellingen/python-zeep/releases/tag/4.3.3 - () https://github.com/mvantellingen/python-zeep/releases/tag/4.3.3 - Release Notes
References () https://github.com/mvantellingen/python-zeep/security/advisories/GHSA-4cc2-g9w2-fhf6 - () https://github.com/mvantellingen/python-zeep/security/advisories/GHSA-4cc2-g9w2-fhf6 - Vendor Advisory, Mitigation, Patch
CPE cpe:2.3:a:mvantellingen:zeep:*:*:*:*:*:python:*:*

08 Jul 2026, 20:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-07-08 20:16

Updated : 2026-07-10 18:15


NVD link : CVE-2026-58501

Mitre link : CVE-2026-58501

CVE.ORG link : CVE-2026-58501


JSON object : View

Products Affected

python-zeep

  • zeep
CWE
CWE-918

Server-Side Request Forgery (SSRF)