From 0675c8e7683cb0d2c884ca1b13364dc5d58188c1 Mon Sep 17 00:00:00 2001
From: R4F4U <rafal.jaschkowitz@gmail.com>
Date: Sat, 13 Jun 2026 01:09:34 +0000
Subject: [PATCH] Loosen lxml pin to allow 6.1.x (security: CVE-2026-41066)

lxml~=6.0.2 excludes 6.1.0, which fixes CVE-2026-41066 / GHSA-vfmq-68hx-4jfw
(XXE local-file read via the resolve_entities=True default). Downstream
projects that depend on python-fints cannot adopt the lxml fix while the cap
stays at <6.1.

python-fints uses lxml only via etree.fromstring (fints/camt_parser.py);
smoke-tested with lxml 6.1.0: import, namespaced parse and client import all ok.
---
 pyproject.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pyproject.toml b/pyproject.toml
index 98ea7c4..02c27c2 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -30,7 +30,7 @@ dependencies = [
   "requests",
   "sepaxml~=2.7",
   "enum-tools~=0.12.0",
-  "lxml~=6.0.2",
+  "lxml>=6.0.2,<7",
 ]
 dynamic = ["version"]