python · ultimate-sitemap-parserCritical

ultimate-sitemap-parser: XML Entity Expansion DoS Vulnerability

XMLSitemapParser uses Python's xml.

20 Jun 2026Read 1 minSeverity: act now

What changed

XMLSitemapParser uses Python's xml.parsers.expat without restricting DTD declarations or recursive entity references, allowing unbounded CPU and memory consumption via XML Entity Expansion (Billion Laughs) DoS.

Who it affects

Any application using ultimate-sitemap-parser to parse attacker-controlled XML sitemaps, including web crawlers, CI/CD pipelines, and monitoring tools.

What to do today

Upgrade ultimate-sitemap-parser to a patched version or apply workaround by using defusedxml or rejecting DOCTYPE declarations before parsing.

The trail

Collected→ Audited→ Written→ Published

Source

GitHub Advisory · ultimate-sitemap-parser

ultimate-sitemap-parser: XML Entity Expansion DoS Vulnerability

What changed

Who it affects

What to do today

More on ultimate-sitemap-parser

JupyterLab Extension Manager XSS via Malicious PyPI Package URLs

python-liquid DoS via malformed {% case %} tag