Common Weakness Enumeration

CWE-611

Allowed

Improper Restriction of XML External Entity Reference

Abstraction: Base · Status: Draft

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

1691 vulnerabilities reference this CWE, most recent first.

CVE-2026-40991 (GCVE-0-2026-40991)

Vulnerability from cvelistv5 – Published: 2026-06-09 23:46 – Updated: 2026-06-27 21:10
VLAI
Title
XML External Entity (XXE) injection when documenting untrusted XML content
Summary
When using spring-restdocs-webtestclient or spring-restdocs-restassured to document a remote API accessed over HTTP, an attacker who compromises the API or tricks the user into documenting a malicious API can perform an XXE injection attack when the documentation-generating tests are next executed. Affected versions: Spring REST Docs 4.0.0; 3.0.0 through 3.0.5; 2.0.0.RELEASE through 2.0.8.RELEASE.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
References
Impacted products
Vendor Product Version
Spring Spring REST Docs Affected: 4.0.0 , < 4.0.0.1 (custom)
Affected: 3.0.0 , < 3.0.5.1 (custom)
Affected: 2.0.0.RELEASE , < 2.0.9.RELEASE (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-40991",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T13:01:26.403312Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T13:01:36.180Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Spring REST Docs",
          "vendor": "Spring",
          "versions": [
            {
              "lessThan": "4.0.0.1",
              "status": "affected",
              "version": "4.0.0",
              "versionType": "custom"
            },
            {
              "lessThan": "3.0.5.1",
              "status": "affected",
              "version": "3.0.0",
              "versionType": "custom"
            },
            {
              "lessThan": "2.0.9.RELEASE",
              "status": "affected",
              "version": "2.0.0.RELEASE",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "When using spring-restdocs-webtestclient or spring-restdocs-restassured to document a remote API accessed over HTTP, an attacker who compromises the API or tricks the user into documenting a malicious API can perform an XXE injection attack when the documentation-generating tests are next executed.\n\nAffected versions:\nSpring REST Docs 4.0.0; 3.0.0 through 3.0.5; 2.0.0.RELEASE through 2.0.8.RELEASE."
            }
          ],
          "value": "When using spring-restdocs-webtestclient or spring-restdocs-restassured to document a remote API accessed over HTTP, an attacker who compromises the API or tricks the user into documenting a malicious API can perform an XXE injection attack when the documentation-generating tests are next executed.\n\nAffected versions:\nSpring REST Docs 4.0.0; 3.0.0 through 3.0.5; 2.0.0.RELEASE through 2.0.8.RELEASE."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "An attacker who can compromise or impersonate a remote API can perform an XXE injection attack when spring-restdocs documentation tests execute against the malicious endpoint."
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-611",
              "description": "CWE-611: Improper Restriction of XML External Entity Reference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-27T21:10:14.865Z",
        "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
        "shortName": "vmware"
      },
      "references": [
        {
          "url": "https://spring.io/security/cve-2026-40991"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "XML External Entity (XXE) injection when documenting untrusted XML content",
      "x_generator": {
        "engine": "Vulnogram 1.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
    "assignerShortName": "vmware",
    "cveId": "CVE-2026-40991",
    "datePublished": "2026-06-09T23:46:33.676Z",
    "dateReserved": "2026-04-16T02:19:09.389Z",
    "dateUpdated": "2026-06-27T21:10:14.865Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-40882 (GCVE-0-2026-40882)

Vulnerability from cvelistv5 – Published: 2026-04-22 20:33 – Updated: 2026-04-23 13:47
VLAI
Title
OpenRemote has XXE in Velbus Asset Import
Summary
OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.0, the Velbus asset import path parses attacker-controlled XML without explicit XXE hardening. An authenticated user who can call the import endpoint may trigger XML external entity processing, which can lead to server-side file disclosure and SSRF. The target file must be less than 1023 characters. Version 1.22.0 fixes the issue.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
References
Impacted products
Vendor Product Version
openremote openremote Affected: < 1.22.0
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-40882",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-23T13:46:44.026868Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-23T13:47:07.964Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/openremote/openremote/security/advisories/GHSA-g24f-mgc3-jwwc"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "openremote",
          "vendor": "openremote",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.22.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.0, the Velbus asset import path parses attacker-controlled XML without explicit XXE hardening. An authenticated user who can call the import endpoint may trigger XML external entity processing, which can lead to server-side file disclosure and SSRF. The target file must be less than 1023 characters. Version 1.22.0 fixes the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-611",
              "description": "CWE-611: Improper Restriction of XML External Entity Reference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-22T20:33:23.304Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/openremote/openremote/security/advisories/GHSA-g24f-mgc3-jwwc",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/openremote/openremote/security/advisories/GHSA-g24f-mgc3-jwwc"
        }
      ],
      "source": {
        "advisory": "GHSA-g24f-mgc3-jwwc",
        "discovery": "UNKNOWN"
      },
      "title": "OpenRemote has XXE in Velbus Asset Import"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-40882",
    "datePublished": "2026-04-22T20:33:23.304Z",
    "dateReserved": "2026-04-15T15:57:41.719Z",
    "dateUpdated": "2026-04-23T13:47:07.964Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-40682 (GCVE-0-2026-40682)

Vulnerability from cvelistv5 – Published: 2026-05-04 16:55 – Updated: 2026-07-15 01:00
VLAI
Title
Apache OpenNLP: XXE via Dictionary Parsing in DictionaryEntryPersistor
Summary
XML External Entity (XXE) via Unsanitized Dictionary Parsing in Apache OpenNLP DictionaryEntryPersistor Versions Affected: before 2.5.9, before 3.0.0-M3 Description: The DictionaryEntryPersistor class initializes a static SAXParserFactory at class-load time without enabling FEATURE_SECURE_PROCESSING or disabling DTD processing. When create(InputStream, EntryInserter) is invoked, the only feature set on the XMLReader is namespace support — external entity resolution and DOCTYPE declarations remain fully enabled. An attacker who can supply a crafted dictionary file (e.g., a stop-word list or domain dictionary) containing a malicious DOCTYPE declaration can trigger local file disclosure via file:// entity references or server-side request forgery via http:// entity references during SAX parsing, before the application processes a single dictionary entry. This is inconsistent with the project's own XmlUtil.createSaxParser() helper, which correctly sets FEATURE_SECURE_PROCESSING and disallow-doctype-decl and is used by all other XML parsing paths in the codebase. The public Dictionary(InputStream) constructor delegates directly to this method and is the documented API for loading user-supplied dictionaries, making untrusted input a realistic scenario. Mitigation: 2.x users should upgrade to 2.5.9. 3.x users should upgrade to 3.0.0-M3. Users who cannot upgrade immediately should ensure that all dictionary files are sourced from trusted origins and should consider wrapping the Dictionary(InputStream) constructor with input validation that rejects any XML containing a DOCTYPE declaration before it reaches the parser.
SSVC
Exploitation: none Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
Impacted products
Credits
Subramanian S
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-05-04T17:36:52.681Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/01/19"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 9.1,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-40682",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-05T15:01:49.614474Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-05T15:02:14.483Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "affected": [
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:camel_spring_boot:4"
            ],
            "defaultStatus": "unaffected",
            "packageName": "opennlp-tools",
            "product": "Red Hat build of Apache Camel for Spring Boot 4",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:jboss_data_grid:8"
            ],
            "defaultStatus": "unaffected",
            "packageName": "opennlp-tools",
            "product": "Red Hat Data Grid 8",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:jboss_fuse:7"
            ],
            "defaultStatus": "unaffected",
            "packageName": "opennlp-maxent",
            "product": "Red Hat Fuse 7",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:jboss_fuse:7"
            ],
            "defaultStatus": "unaffected",
            "packageName": "opennlp-tools",
            "product": "Red Hat Fuse 7",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:jboss_enterprise_application_platform:8"
            ],
            "defaultStatus": "unaffected",
            "packageName": "opennlp-tools",
            "product": "Red Hat JBoss Enterprise Application Platform 8",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:jbosseapxp"
            ],
            "defaultStatus": "unaffected",
            "packageName": "opennlp-tools",
            "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:openshift_ai"
            ],
            "defaultStatus": "unknown",
            "packageName": "rhoai/odh-trustyai-service-rhel9",
            "product": "Red Hat OpenShift AI (RHOAI)",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:openshift_ai"
            ],
            "defaultStatus": "unknown",
            "packageName": "rhoai/odh-workbench-jupyter-trustyai-cpu-py312-rhel9",
            "product": "Red Hat OpenShift AI (RHOAI)",
            "vendor": "Red Hat"
          }
        ],
        "datePublic": "2026-05-04T16:55:55.834Z",
        "descriptions": [
          {
            "lang": "en",
            "value": "A flaw was found in Apache OpenNLP. A remote attacker can exploit this vulnerability by providing a specially crafted dictionary file. This can lead to an XML External Entity (XXE) injection, which allows for the disclosure of local files or enables server-side request forgery (SSRF), where the server makes unauthorized requests to other systems."
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "namespace": "https://access.redhat.com/security/updates/classification/",
                "value": "Important"
              },
              "type": "Red Hat severity rating"
            }
          },
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
              "version": "3.1"
            },
            "format": "CVSS"
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-611",
                "description": "Improper Restriction of XML External Entity Reference",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-15T01:00:40.227Z",
          "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
          "shortName": "redhat-SADP"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2026-40682"
          },
          {
            "name": "RHBZ#2466484",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2466484"
          },
          {
            "tags": [
              "x_sadp-csaf-vex"
            ],
            "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-40682.json"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2026-05-04T19:01:14.287Z",
            "value": "Reported to Red Hat."
          },
          {
            "lang": "en",
            "time": "2026-05-04T16:55:55.834Z",
            "value": "Made public."
          }
        ],
        "title": "org.apache.opennlp/opennlp-tools: Apache OpenNLP: XML External Entity (XXE) vulnerability via crafted dictionary parsing",
        "x_adpType": "supplier",
        "x_generator": {
          "engine": "sadp-cli 1.0.0"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2/",
          "defaultStatus": "unaffected",
          "packageName": "org.apache.opennlp:opennlp-tools",
          "product": "Apache OpenNLP",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "2.5.9",
              "status": "affected",
              "version": "2.0",
              "versionType": "semver"
            },
            {
              "lessThan": "3.0.0-M3",
              "status": "affected",
              "version": "3.0.0-M1",
              "versionType": "semver"
            },
            {
              "lessThan": "1.9.5",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Subramanian S"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003e\u003cstrong\u003eXML External Entity (XXE) via Unsanitized Dictionary Parsing in Apache OpenNLP DictionaryEntryPersistor\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eVersions Affected:\u003c/strong\u003e before 2.5.9, before 3.0.0-M3\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eDescription:\u003c/strong\u003e The \u003ccode\u003eDictionaryEntryPersistor\u003c/code\u003e class initializes a static \u003ccode\u003eSAXParserFactory\u003c/code\u003e at class-load time without enabling \u003ccode\u003eFEATURE_SECURE_PROCESSING\u003c/code\u003e or disabling DTD processing. When \u003ccode\u003ecreate(InputStream, EntryInserter)\u003c/code\u003e is invoked, the only feature set on the \u003ccode\u003eXMLReader\u003c/code\u003e is namespace support \u2014 external entity resolution and DOCTYPE declarations remain fully enabled. An attacker who can supply a crafted dictionary file (e.g., a stop-word list or domain dictionary) containing a malicious DOCTYPE declaration can trigger local file disclosure via \u003ccode\u003efile://\u003c/code\u003e entity references or server-side request forgery via \u003ccode\u003ehttp://\u003c/code\u003e entity references during SAX parsing, before the application processes a single dictionary entry. This is inconsistent with the project\u0027s own \u003ccode\u003eXmlUtil.createSaxParser()\u003c/code\u003e helper, which correctly sets \u003ccode\u003eFEATURE_SECURE_PROCESSING\u003c/code\u003e and \u003ccode\u003edisallow-doctype-decl\u003c/code\u003e and is used by all other XML parsing paths in the codebase. The public \u003ccode\u003eDictionary(InputStream)\u003c/code\u003e constructor delegates directly to this method and is the documented API for loading user-supplied dictionaries, making untrusted input a realistic scenario.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eMitigation:\u003c/strong\u003e 2.x users should upgrade to 2.5.9. 3.x users should upgrade to 3.0.0-M3. Users who cannot upgrade immediately should ensure that all dictionary files are sourced from trusted origins and should consider wrapping the \u003ccode\u003eDictionary(InputStream)\u003c/code\u003e constructor with input validation that rejects any XML containing a DOCTYPE declaration before it reaches the parser.\u003cbr\u003e\u003c/p\u003e"
            }
          ],
          "value": "XML External Entity (XXE) via Unsanitized Dictionary Parsing in Apache OpenNLP DictionaryEntryPersistor\n\n\nVersions Affected: before 2.5.9, before 3.0.0-M3\n\n\nDescription: The DictionaryEntryPersistor class initializes a static SAXParserFactory at class-load time without enabling FEATURE_SECURE_PROCESSING or disabling DTD processing. When create(InputStream, EntryInserter) is invoked, the only feature set on the XMLReader is namespace support \u2014 external entity resolution and DOCTYPE declarations remain fully enabled. An attacker who can supply a crafted dictionary file (e.g., a stop-word list or domain dictionary) containing a malicious DOCTYPE declaration can trigger local file disclosure via file:// entity references or server-side request forgery via http:// entity references during SAX parsing, before the application processes a single dictionary entry. This is inconsistent with the project\u0027s own XmlUtil.createSaxParser() helper, which correctly sets FEATURE_SECURE_PROCESSING and disallow-doctype-decl and is used by all other XML parsing paths in the codebase. The public Dictionary(InputStream) constructor delegates directly to this method and is the documented API for loading user-supplied dictionaries, making untrusted input a realistic scenario.\n\n\nMitigation: 2.x users should upgrade to 2.5.9. 3.x users should upgrade to 3.0.0-M3. Users who cannot upgrade immediately should ensure that all dictionary files are sourced from trusted origins and should consider wrapping the Dictionary(InputStream) constructor with input validation that rejects any XML containing a DOCTYPE declaration before it reaches the parser."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-611",
              "description": "CWE-611 Improper Restriction of XML External Entity Reference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-30T07:16:49.842Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/r6jpt0qr9nj67gqhppqg7jxf8vsbo0w6"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Apache OpenNLP: XXE via Dictionary Parsing in DictionaryEntryPersistor",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-40682",
    "datePublished": "2026-05-04T16:55:55.834Z",
    "dateReserved": "2026-04-14T17:21:09.189Z",
    "dateUpdated": "2026-07-15T01:00:40.227Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-34401 (GCVE-0-2026-34401)

Vulnerability from cvelistv5 – Published: 2026-03-31 21:05 – Updated: 2026-04-01 15:53
VLAI
Title
XML Notepad: XML External Entity (XXE) Injection via Unsafe XmlTextReader in XML Diff and Schema Loading
Summary
XML Notepad is a Windows program that provides a simple intuitive User Interface for browsing and editing XML documents. Prior to version 2.9.0.21, XML Notepad does not disable DTD processing by default which means external entities are resolved automatically. There is a well known attack related to malicious DTD files where an attacker to craft a malicious XML file that loads a DTD that causes XML Notepad to make outbound HTTP/SMB requests, potentially leaking local file contents or capturing the victim's NTLM credentials. This issue has been patched in version 2.9.0.21.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
Impacted products
Vendor Product Version
microsoft XmlNotepad Affected: < 2.9.0.21
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-34401",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-01T15:45:24.184266Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-01T15:53:18.538Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/microsoft/XmlNotepad/security/advisories/GHSA-5j32-486h-42ch"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "XmlNotepad",
          "vendor": "microsoft",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.9.0.21"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "XML Notepad is a Windows program that provides a simple intuitive User Interface for browsing and editing XML documents. Prior to version 2.9.0.21, XML Notepad does not disable DTD processing by default which means external entities are resolved automatically. There is a well known attack related to malicious DTD files where an attacker to craft a malicious XML file that loads a DTD that causes XML Notepad to make outbound HTTP/SMB requests, potentially leaking local file contents or capturing the victim\u0027s NTLM credentials. This issue has been patched in version 2.9.0.21."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-611",
              "description": "CWE-611: Improper Restriction of XML External Entity Reference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-31T21:05:50.647Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/microsoft/XmlNotepad/security/advisories/GHSA-5j32-486h-42ch",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/microsoft/XmlNotepad/security/advisories/GHSA-5j32-486h-42ch"
        },
        {
          "name": "https://github.com/microsoft/XmlNotepad/commit/3665603d61ba10b7827a3724e854748cb780140c",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/microsoft/XmlNotepad/commit/3665603d61ba10b7827a3724e854748cb780140c"
        },
        {
          "name": "https://github.com/microsoft/XmlNotepad/commit/c03ab2311ac6960452eb1ab49098768f851dcc53",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/microsoft/XmlNotepad/commit/c03ab2311ac6960452eb1ab49098768f851dcc53"
        },
        {
          "name": "https://github.com/microsoft/XmlNotepad/releases/tag/2.9.0.21",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/microsoft/XmlNotepad/releases/tag/2.9.0.21"
        }
      ],
      "source": {
        "advisory": "GHSA-5j32-486h-42ch",
        "discovery": "UNKNOWN"
      },
      "title": "XML Notepad: XML External Entity (XXE) Injection via Unsafe XmlTextReader in XML Diff and Schema Loading"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-34401",
    "datePublished": "2026-03-31T21:05:50.647Z",
    "dateReserved": "2026-03-27T13:45:29.620Z",
    "dateUpdated": "2026-04-01T15:53:18.538Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-33913 (GCVE-0-2026-33913)

Vulnerability from cvelistv5 – Published: 2026-03-25 22:52 – Updated: 2026-03-26 18:08
VLAI
Title
OpenEMR: XInclude Injection in CCDA Import Allows Reading Arbitrary Server Files
Summary
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, an authenticated user with access to the Carecoordination module can upload a crafted CCDA document containing `<xi:include href="file:///etc/passwd" parse="text"/>` to read arbitrary files from the server. Version 8.0.0.3 patches the issue.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
Impacted products
Vendor Product Version
openemr openemr Affected: < 8.0.0.3
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33913",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-26T18:08:22.949304Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-26T18:08:31.010Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "openemr",
          "vendor": "openemr",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 8.0.0.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, an authenticated user with access to the Carecoordination module can upload a crafted CCDA document containing `\u003cxi:include href=\"file:///etc/passwd\" parse=\"text\"/\u003e` to read arbitrary files from the server. Version 8.0.0.3 patches the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-611",
              "description": "CWE-611: Improper Restriction of XML External Entity Reference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-25T22:52:50.449Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/openemr/openemr/security/advisories/GHSA-9757-3cfj-wc8q",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/openemr/openemr/security/advisories/GHSA-9757-3cfj-wc8q"
        },
        {
          "name": "https://github.com/openemr/openemr/commit/67e1702c41cf486af0069bdafce19860e2cd9a11",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/openemr/openemr/commit/67e1702c41cf486af0069bdafce19860e2cd9a11"
        },
        {
          "name": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3"
        }
      ],
      "source": {
        "advisory": "GHSA-9757-3cfj-wc8q",
        "discovery": "UNKNOWN"
      },
      "title": "OpenEMR: XInclude Injection in CCDA Import Allows Reading Arbitrary Server Files"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33913",
    "datePublished": "2026-03-25T22:52:50.449Z",
    "dateReserved": "2026-03-24T15:41:47.492Z",
    "dateUpdated": "2026-03-26T18:08:31.010Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-33737 (GCVE-0-2026-33737)

Vulnerability from cvelistv5 – Published: 2026-04-10 19:05 – Updated: 2026-04-13 16:02
VLAI
Title
Chamilo LMS has an XML External Entity (XXE) Injection
Summary
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, multiple files use simplexml_load_string() without XXE protection. With LIBXML_NOENT flag, arbitrary server files can be read. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
Impacted products
Vendor Product Version
chamilo chamilo-lms Affected: < 1.11.38
Affected: >= 2.0.0-alpha.1, < 2.0.0-RC.3
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33737",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-13T16:01:59.171472Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-13T16:02:10.691Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "chamilo-lms",
          "vendor": "chamilo",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.11.38"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.0.0-alpha.1, \u003c 2.0.0-RC.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, multiple files use simplexml_load_string() without XXE protection. With LIBXML_NOENT flag, arbitrary server files can be read. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-611",
              "description": "CWE-611: Improper Restriction of XML External Entity Reference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-10T19:05:08.873Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-c4ww-qgf2-v89j",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-c4ww-qgf2-v89j"
        },
        {
          "name": "https://github.com/chamilo/chamilo-lms/commit/22b1cb1c609b643765c88654155aba27070c927e",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/chamilo/chamilo-lms/commit/22b1cb1c609b643765c88654155aba27070c927e"
        },
        {
          "name": "https://github.com/chamilo/chamilo-lms/commit/af6b7002af7c15825e98fc522e2ead0d00cacaa3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/chamilo/chamilo-lms/commit/af6b7002af7c15825e98fc522e2ead0d00cacaa3"
        }
      ],
      "source": {
        "advisory": "GHSA-c4ww-qgf2-v89j",
        "discovery": "UNKNOWN"
      },
      "title": "Chamilo LMS has an XML External Entity (XXE) Injection"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33737",
    "datePublished": "2026-04-10T19:05:08.873Z",
    "dateReserved": "2026-03-23T17:34:57.561Z",
    "dateUpdated": "2026-04-13T16:02:10.691Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-32251 (GCVE-0-2026-32251)

Vulnerability from cvelistv5 – Published: 2026-03-12 19:21 – Updated: 2026-03-13 16:15
VLAI
Title
Tolgee has an XXE Injection in Translation Import
Summary
Tolgee is an open-source localization platform. Prior to 3.166.3, the XML parsers used for importing Android XML resources (.xml) and .resx files don't disable external entity processing. An authenticated user who can import translation files into a project can exploit this to read arbitrary files from the server and make server-side requests to internal services. This vulnerability is fixed in 3.166.3.
SSVC
Exploitation: poc Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
Impacted products
Vendor Product Version
tolgee tolgee-platform Affected: < 3.166.3
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-32251",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-13T16:15:41.015285Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-13T16:15:44.484Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-rcvv-64pq-vxfx"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "tolgee-platform",
          "vendor": "tolgee",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3.166.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Tolgee is an open-source localization platform. Prior to 3.166.3, the XML parsers used for importing Android XML resources (.xml) and .resx files don\u0027t disable external entity processing. An authenticated user who can import translation files into a project can exploit this to read arbitrary files from the server and make server-side requests to internal services. This vulnerability is fixed in 3.166.3."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-611",
              "description": "CWE-611: Improper Restriction of XML External Entity Reference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-12T19:21:05.130Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-rcvv-64pq-vxfx",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-rcvv-64pq-vxfx"
        },
        {
          "name": "https://github.com/tolgee/tolgee-platform/commit/7c71d5a849c9984a8c5c55b121992417442a47a5",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/tolgee/tolgee-platform/commit/7c71d5a849c9984a8c5c55b121992417442a47a5"
        },
        {
          "name": "https://github.com/tolgee/tolgee-platform/releases/tag/v3.166.3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/tolgee/tolgee-platform/releases/tag/v3.166.3"
        }
      ],
      "source": {
        "advisory": "GHSA-rcvv-64pq-vxfx",
        "discovery": "UNKNOWN"
      },
      "title": "Tolgee has an XXE Injection in Translation Import"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-32251",
    "datePublished": "2026-03-12T19:21:05.130Z",
    "dateReserved": "2026-03-11T14:47:05.686Z",
    "dateUpdated": "2026-03-13T16:15:44.484Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-28809 (GCVE-0-2026-28809)

Vulnerability from cvelistv5 – Published: 2026-03-23 10:09 – Updated: 2026-05-27 15:41
VLAI
Title
XXE in esaml SAML library allows local file read and potential SSRF
Summary
XML External Entity (XXE) vulnerability in esaml (and its forks) allows an attacker to cause the system to read local files and incorporate their contents into processed SAML documents, and potentially perform SSRF via crafted SAML messages. esaml parses attacker-controlled SAML messages using xmerl_scan:string/2 before signature verification without disabling XML entity expansion. On Erlang/OTP versions before 27, Xmerl allows entities by default, enabling pre-signature XXE attacks. An attacker can cause the host to read local files (e.g., Kubernetes-mounted secrets) into the SAML document. If the attacker is not a trusted SAML SP, signature verification will fail and the document is discarded, but file contents may still be exposed through logs or error messages. This issue affects all versions of esaml, including forks by arekinath, handnot2, and dropbox. Users running on Erlang/OTP 27 or later are not affected due to Xmerl defaulting to entities disabled.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
EEF
Impacted products
Vendor Product Version
dropbox esaml     cpe:2.3:a:dropbox:esaml:*:*:*:*:*:*:*:*
    cpe:2.3:a:arekinath:esaml:*:*:*:*:*:*:*:*
    cpe:2.3:a:handnot2:esaml:*:*:*:*:*:*:*:*
Create a notification for this product.
arekinath esaml     cpe:2.3:a:arekinath:esaml:*:*:*:*:*:*:*:*
Create a notification for this product.
handnot2 esaml     cpe:2.3:a:handnot2:esaml:*:*:*:*:*:*:*:*
Create a notification for this product.
dropbox esaml     cpe:2.3:a:dropbox:esaml:*:*:*:*:*:*:*:*
Create a notification for this product.
Jump-App esaml Affected: 0 , < bab85efde7c136911402a881ca55173759467a26 (git)
Unaffected: bab85efde7c136911402a881ca55173759467a26 (git)
    cpe:2.3:a:jump-app:esaml:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Bryan Lynch Jonatan Männchen / EEF
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-28809",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-23T15:07:17.488260Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-23T15:52:46.187Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:dropbox:esaml:*:*:*:*:*:*:*:*",
            "cpe:2.3:a:arekinath:esaml:*:*:*:*:*:*:*:*",
            "cpe:2.3:a:handnot2:esaml:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "affected",
          "packageName": "esaml",
          "packageURL": "pkg:hex/esaml",
          "product": "esaml",
          "vendor": "dropbox"
        },
        {
          "collectionURL": "https://github.com",
          "cpes": [
            "cpe:2.3:a:arekinath:esaml:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "affected",
          "packageName": "arekinath/esaml",
          "packageURL": "pkg:github/arekinath/esaml",
          "product": "esaml",
          "repo": "https://github.com/arekinath/esaml.git",
          "vendor": "arekinath"
        },
        {
          "collectionURL": "https://github.com",
          "cpes": [
            "cpe:2.3:a:handnot2:esaml:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "affected",
          "packageName": "handnot2/esaml",
          "packageURL": "pkg:github/handnot2/esaml",
          "product": "esaml",
          "repo": "https://github.com/handnot2/esaml.git",
          "vendor": "handnot2"
        },
        {
          "collectionURL": "https://github.com",
          "cpes": [
            "cpe:2.3:a:dropbox:esaml:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "affected",
          "packageName": "dropbox/esaml",
          "packageURL": "pkg:github/dropbox/esaml",
          "product": "esaml",
          "repo": "https://github.com/dropbox/esaml.git",
          "vendor": "dropbox"
        },
        {
          "collectionURL": "https://github.com",
          "cpes": [
            "cpe:2.3:a:jump-app:esaml:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "affected",
          "packageName": "Jump-App/esaml",
          "packageURL": "pkg:github/Jump-App/esaml",
          "product": "esaml",
          "repo": "https://github.com/Jump-App/esaml.git",
          "vendor": "Jump-App",
          "versions": [
            {
              "lessThan": "bab85efde7c136911402a881ca55173759467a26",
              "status": "affected",
              "version": "0",
              "versionType": "git"
            },
            {
              "status": "unaffected",
              "version": "bab85efde7c136911402a881ca55173759467a26",
              "versionType": "git"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The application must use esaml to process SAML messages and run on Erlang/OTP versions before 27. Starting with OTP 27, \u003ctt\u003exmerl_scan\u003c/tt\u003e disables entity expansion by default, which mitigates this vulnerability."
            }
          ],
          "value": "The application must use esaml to process SAML messages and run on Erlang/OTP versions before 27. Starting with OTP 27, xmerl_scan disables entity expansion by default, which mitigates this vulnerability."
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:dropbox:esaml:*:*:*:*:*:*:*:*",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:arekinath:esaml:*:*:*:*:*:*:*:*",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:handnot2:esaml:*:*:*:*:*:*:*:*",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:jump-app:esaml:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "bab85efde7c136911402a881ca55173759467a26",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "AND"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Bryan Lynch"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "Jonatan M\u00e4nnchen / EEF"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "XML External Entity (XXE) vulnerability in esaml (and its forks) allows an attacker to cause the system to read local files and incorporate their contents into processed SAML documents, and potentially perform SSRF via crafted SAML messages.\u003cp\u003eesaml parses attacker-controlled SAML messages using \u003ctt\u003exmerl_scan:string/2\u003c/tt\u003e before signature verification without disabling XML entity expansion. On Erlang/OTP versions before 27, Xmerl allows entities by default, enabling pre-signature XXE attacks. An attacker can cause the host to read local files (e.g., Kubernetes-mounted secrets) into the SAML document. If the attacker is not a trusted SAML SP, signature verification will fail and the document is discarded, but file contents may still be exposed through logs or error messages.\u003c/p\u003e\u003cp\u003eThis issue affects all versions of esaml, including forks by arekinath, handnot2, and dropbox. Users running on Erlang/OTP 27 or later are not affected due to Xmerl defaulting to entities disabled.\u003c/p\u003e"
            }
          ],
          "value": "XML External Entity (XXE) vulnerability in esaml (and its forks) allows an attacker to cause the system to read local files and incorporate their contents into processed SAML documents, and potentially perform SSRF via crafted SAML messages.\n\nesaml parses attacker-controlled SAML messages using xmerl_scan:string/2 before signature verification without disabling XML entity expansion. On Erlang/OTP versions before 27, Xmerl allows entities by default, enabling pre-signature XXE attacks. An attacker can cause the host to read local files (e.g., Kubernetes-mounted secrets) into the SAML document. If the attacker is not a trusted SAML SP, signature verification will fail and the document is discarded, but file contents may still be exposed through logs or error messages.\n\nThis issue affects all versions of esaml, including forks by arekinath, handnot2, and dropbox. Users running on Erlang/OTP 27 or later are not affected due to Xmerl defaulting to entities disabled."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-201",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-201 Serialized Data External Linking"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-611",
              "description": "CWE-611 Improper Restriction of XML External Entity Reference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T15:41:20.808Z",
        "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "shortName": "EEF"
      },
      "references": [
        {
          "tags": [
            "third-party-advisory",
            "related"
          ],
          "url": "https://cna.erlef.org/cves/CVE-2026-28809.html"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://osv.dev/vulnerability/EEF-CVE-2026-28809"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/Jump-App/esaml/commit/bab85efde7c136911402a881ca55173759467a26"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "XXE in esaml SAML library allows local file read and potential SSRF",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Upgrade to Erlang/OTP 27 or later. Starting with OTP 27, \u003ctt\u003exmerl_scan\u003c/tt\u003e disables entity expansion by default, which mitigates this vulnerability without changes to esaml."
            }
          ],
          "value": "Upgrade to Erlang/OTP 27 or later. Starting with OTP 27, xmerl_scan disables entity expansion by default, which mitigates this vulnerability without changes to esaml."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 1.0.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
    "assignerShortName": "EEF",
    "cveId": "CVE-2026-28809",
    "datePublished": "2026-03-23T10:09:29.233Z",
    "dateReserved": "2026-03-03T14:40:00.590Z",
    "dateUpdated": "2026-05-27T15:41:20.808Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-26171 (GCVE-0-2026-26171)

Vulnerability from cvelistv5 – Published: 2026-04-14 16:58 – Updated: 2026-07-15 01:15
VLAI
Title
.NET Denial of Service Vulnerability
Summary
Uncontrolled resource consumption in .NET allows an unauthorized attacker to deny service over a network.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-400 - Uncontrolled Resource Consumption
  • CWE-611 - Improper Restriction of XML External Entity Reference
  • CWE-776 - Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
Assigner
References
URL Tags
https://msrc.microsoft.com/update-guide/vulnerabi… vendor-advisorypatch
https://access.redhat.com/security/cve/CVE-2026-26171 vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2457739 issue-trackingx_refsource_REDHAT
https://security.access.redhat.com/data/csaf/v2/v… x_sadp-csaf-vex
https://access.redhat.com/errata/RHSA-2026:13281 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:13280 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:8467 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:8470 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:8472 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:8473 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:8468 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:8475 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:13693 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:13283 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:13282 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:8471 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:8469 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:8474 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:9077 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:9080 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:9205 vendor-advisoryx_refsource_REDHAT
Impacted products
Vendor Product Version
Microsoft .NET 10.0 Affected: 10.0.0 , < 10.0.6 (custom)
Create a notification for this product.
Microsoft .NET 8.0 Affected: 8.0.0 , < 8.0.26 (custom)
Create a notification for this product.
Microsoft .NET 9.0 Affected: 9.0.0 , < 9.0.15 (custom)
Create a notification for this product.
Microsoft PowerShell 7.5 Affected: 7.5.0 , < 7.5.6 (custom)
Create a notification for this product.
Microsoft PowerShell 7.6 Affected: 7.6.0 , < 7.6.1 (custom)
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 10 Unaffected: 0:10.0.106-1.el10_1 , < * (rpm)
    cpe:/o:redhat:enterprise_linux:10.1
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 10 Unaffected: 0:8.0.126-1.el10_1 , < * (rpm)
    cpe:/o:redhat:enterprise_linux:10.1
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 10 Unaffected: 0:9.0.116-1.el10_1 , < * (rpm)
    cpe:/o:redhat:enterprise_linux:10.1
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 10.0 Extended Update Support Unaffected: 0:9.0.116-1.el10_0 , < * (rpm)
    cpe:/o:redhat:enterprise_linux_eus:10.0
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 10.0 Extended Update Support Unaffected: 0:8.0.126-1.el10_0 , < * (rpm)
    cpe:/o:redhat:enterprise_linux_eus:10.0
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 8 Unaffected: 0:8.0.126-1.el8_10 , < * (rpm)
    cpe:/a:redhat:enterprise_linux:8
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 8 Unaffected: 0:10.0.106-1.el8_10 , < * (rpm)
    cpe:/a:redhat:enterprise_linux:8
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 8 Unaffected: 0:9.0.116-1.el8_10 , < * (rpm)
    cpe:/a:redhat:enterprise_linux:8
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 9 Unaffected: 0:8.0.126-1.el9_7 , < * (rpm)
    cpe:/a:redhat:enterprise_linux:9
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 9 Unaffected: 0:10.0.106-1.el9_7 , < * (rpm)
    cpe:/a:redhat:enterprise_linux:9
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 9 Unaffected: 0:9.0.116-1.el9_7 , < * (rpm)
    cpe:/a:redhat:enterprise_linux:9
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 9.4 Extended Update Support Unaffected: 0:8.0.126-1.el9_4 , < * (rpm)
    cpe:/a:redhat:rhel_eus:9.4
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 9.6 Extended Update Support Unaffected: 0:9.0.116-1.el9_6 , < * (rpm)
    cpe:/a:redhat:rhel_eus:9.6
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 9.6 Extended Update Support Unaffected: 0:8.0.126-1.el9_6 , < * (rpm)
    cpe:/a:redhat:rhel_eus:9.6
Create a notification for this product.
Red Hat Red Hat Hardened Images Unaffected: 10.0.106-1.hum1 , < * (rpm)
    cpe:/a:redhat:hummingbird:1
Create a notification for this product.
Red Hat Red Hat Hardened Images Unaffected: 8.0.126-1.hum1 , < * (rpm)
    cpe:/a:redhat:hummingbird:1
Create a notification for this product.
Red Hat Red Hat Hardened Images Unaffected: 9.0.116-1.hum1 , < * (rpm)
    cpe:/a:redhat:hummingbird:1
Create a notification for this product.
Date Public
2026-04-14 14:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-26171",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-14T18:53:29.483401Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-14T18:53:37.106Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "affected": [
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:10.1"
            ],
            "defaultStatus": "affected",
            "packageName": "dotnet10.0",
            "product": "Red Hat Enterprise Linux 10",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "0:10.0.106-1.el10_1",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:10.1"
            ],
            "defaultStatus": "affected",
            "packageName": "dotnet8.0",
            "product": "Red Hat Enterprise Linux 10",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "0:8.0.126-1.el10_1",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:10.1"
            ],
            "defaultStatus": "affected",
            "packageName": "dotnet9.0",
            "product": "Red Hat Enterprise Linux 10",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "0:9.0.116-1.el10_1",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/o:redhat:enterprise_linux_eus:10.0"
            ],
            "defaultStatus": "affected",
            "packageName": "dotnet9.0",
            "product": "Red Hat Enterprise Linux 10.0 Extended Update Support",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "0:9.0.116-1.el10_0",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/o:redhat:enterprise_linux_eus:10.0"
            ],
            "defaultStatus": "affected",
            "packageName": "dotnet8.0",
            "product": "Red Hat Enterprise Linux 10.0 Extended Update Support",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "0:8.0.126-1.el10_0",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:enterprise_linux:8"
            ],
            "defaultStatus": "affected",
            "packageName": "dotnet8.0",
            "product": "Red Hat Enterprise Linux 8",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "0:8.0.126-1.el8_10",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:enterprise_linux:8"
            ],
            "defaultStatus": "affected",
            "packageName": "dotnet10.0",
            "product": "Red Hat Enterprise Linux 8",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "0:10.0.106-1.el8_10",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:enterprise_linux:8"
            ],
            "defaultStatus": "affected",
            "packageName": "dotnet9.0",
            "product": "Red Hat Enterprise Linux 8",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "0:9.0.116-1.el8_10",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:enterprise_linux:9"
            ],
            "defaultStatus": "affected",
            "packageName": "dotnet8.0",
            "product": "Red Hat Enterprise Linux 9",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "0:8.0.126-1.el9_7",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:enterprise_linux:9"
            ],
            "defaultStatus": "affected",
            "packageName": "dotnet10.0",
            "product": "Red Hat Enterprise Linux 9",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "0:10.0.106-1.el9_7",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:enterprise_linux:9"
            ],
            "defaultStatus": "affected",
            "packageName": "dotnet9.0",
            "product": "Red Hat Enterprise Linux 9",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "0:9.0.116-1.el9_7",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:rhel_eus:9.4"
            ],
            "defaultStatus": "affected",
            "packageName": "dotnet8.0",
            "product": "Red Hat Enterprise Linux 9.4 Extended Update Support",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "0:8.0.126-1.el9_4",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:rhel_eus:9.6"
            ],
            "defaultStatus": "affected",
            "packageName": "dotnet9.0",
            "product": "Red Hat Enterprise Linux 9.6 Extended Update Support",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "0:9.0.116-1.el9_6",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:rhel_eus:9.6"
            ],
            "defaultStatus": "affected",
            "packageName": "dotnet8.0",
            "product": "Red Hat Enterprise Linux 9.6 Extended Update Support",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "0:8.0.126-1.el9_6",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:hummingbird:1"
            ],
            "defaultStatus": "affected",
            "packageName": "dotnet10-0-main",
            "product": "Red Hat Hardened Images",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "10.0.106-1.hum1",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:hummingbird:1"
            ],
            "defaultStatus": "affected",
            "packageName": "dotnet8-0-main",
            "product": "Red Hat Hardened Images",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "8.0.126-1.hum1",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:hummingbird:1"
            ],
            "defaultStatus": "affected",
            "packageName": "dotnet9-0-main",
            "product": "Red Hat Hardened Images",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "9.0.116-1.hum1",
                "versionType": "rpm"
              }
            ]
          }
        ],
        "datePublic": "2026-04-14T18:39:18.599Z",
        "descriptions": [
          {
            "lang": "en",
            "value": "A flaw was found in .NET. A remote attacker could exploit a vulnerability related to unsafe transforms in EncryptedXml. This could lead to a Denial of Service (DoS), making the service unavailable, and a bypass of security features."
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "namespace": "https://access.redhat.com/security/updates/classification/",
                "value": "Important"
              },
              "type": "Red Hat severity rating"
            }
          },
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            },
            "format": "CVSS"
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-776",
                "description": "Improper Restriction of Recursive Entity References in DTDs (\u0027XML Entity Expansion\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-15T01:15:11.907Z",
          "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
          "shortName": "redhat-SADP"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2026-26171"
          },
          {
            "name": "RHBZ#2457739",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457739"
          },
          {
            "tags": [
              "x_sadp-csaf-vex"
            ],
            "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-26171.json"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:13281"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:13280"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:8467"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:8470"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:8472"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:8473"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:8468"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:8475"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:13693"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:13283"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:13282"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:8471"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:8469"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:8474"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:9077"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:9080"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:9205"
          }
        ],
        "solutions": [
          {
            "lang": "en",
            "value": "RHSA-2026:13281: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:13280: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:8467: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:8470: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:8472: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:8473: Red Hat Enterprise Linux AppStream (v. 8), Red Hat Enterprise Linux CRB (v. 8)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:8468: Red Hat Enterprise Linux AppStream (v. 8), Red Hat Enterprise Linux CRB (v. 8)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:8475: Red Hat Enterprise Linux AppStream (v. 8), Red Hat Enterprise Linux CRB (v. 8)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:13693: Red Hat CodeReady Linux Builder EUS (v.9.4), Red Hat Enterprise Linux AppStream EUS (v.9.4)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:13283: Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS (v.9.6)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:13282: Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS (v.9.6)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:8471: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:8469: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:8474: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:9077: Red Hat Hardened Images"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:9080: Red Hat Hardened Images"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:9205: Red Hat Hardened Images"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2026-04-13T05:00:07.414Z",
            "value": "Reported to Red Hat."
          },
          {
            "lang": "en",
            "time": "2026-04-14T18:39:18.599Z",
            "value": "Made public."
          }
        ],
        "title": "dotnet: .NET: Security Bypass and Denial of Service Vulnerability",
        "workarounds": [
          {
            "lang": "en",
            "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
          }
        ],
        "x_adpType": "supplier",
        "x_generator": {
          "engine": "sadp-cli 1.0.0"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "product": ".NET 10.0",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.6",
              "status": "affected",
              "version": "10.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": ".NET 8.0",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "8.0.26",
              "status": "affected",
              "version": "8.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": ".NET 9.0",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "9.0.15",
              "status": "affected",
              "version": "9.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "PowerShell 7.5",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "7.5.6",
              "status": "affected",
              "version": "7.5.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "PowerShell 7.6",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "7.6.1",
              "status": "affected",
              "version": "7.6.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:powershell:*:-:*:*:*:*:*:*",
                  "versionEndExcluding": "7.5.6",
                  "versionStartIncluding": "7.5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "10.0.6",
                  "versionStartIncluding": "10.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "8.0.26",
                  "versionStartIncluding": "8.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "9.0.15",
                  "versionStartIncluding": "9.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:powershell:*:-:*:*:*:*:*:*",
                  "versionEndExcluding": "7.6.1",
                  "versionStartIncluding": "7.6.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-04-14T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Uncontrolled resource consumption in .NET allows an unauthorized attacker to deny service over a network."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en-US",
              "type": "CWE"
            },
            {
              "cweId": "CWE-611",
              "description": "CWE-611: Improper Restriction of XML External Entity Reference",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-19T16:08:51.778Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": ".NET Denial of Service Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26171"
        }
      ],
      "title": ".NET Denial of Service Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-26171",
    "datePublished": "2026-04-14T16:58:37.655Z",
    "dateReserved": "2026-02-11T18:33:57.776Z",
    "dateUpdated": "2026-07-15T01:15:11.907Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-24400 (GCVE-0-2026-24400)

Vulnerability from cvelistv5 – Published: 2026-01-26 22:19 – Updated: 2026-01-27 21:36
VLAI
Title
AssertJ has XML External Entity (XXE) vulnerability when parsing untrusted XML via isXmlEqualTo assertion
Summary
AssertJ provides Fluent testing assertions for Java and the Java Virtual Machine (JVM). Starting in version 1.4.0 and prior to version 3.27.7, an XML External Entity (XXE) vulnerability exists in `org.assertj.core.util.xml.XmlStringPrettyFormatter`: the `toXmlDocument(String)` method initializes `DocumentBuilderFactory` with default settings, without disabling DTDs or external entities. This formatter is used by the `isXmlEqualTo(CharSequence)` assertion for `CharSequence` values. An application is vulnerable only when it uses untrusted XML input with either `isXmlEqualTo(CharSequence)` from `org.assertj.core.api.AbstractCharSequenceAssert` or `xmlPrettyFormat(String)` from `org.assertj.core.util.xml.XmlStringPrettyFormatter`. If untrusted XML input is processed by tone of these methods, an attacker couldnread arbitrary local files via `file://` URIs (e.g., `/etc/passwd`, application configuration files); perform Server-Side Request Forgery (SSRF) via HTTP/HTTPS URIs, and/or cause Denial of Service via "Billion Laughs" entity expansion attacks. `isXmlEqualTo(CharSequence)` has been deprecated in favor of XMLUnit in version 3.18.0 and will be removed in version 4.0. Users of affected versions should, in order of preference: replace `isXmlEqualTo(CharSequence)` with XMLUnit, upgrade to version 3.27.7, or avoid using `isXmlEqualTo(CharSequence)` or `XmlStringPrettyFormatter` with untrusted input. `XmlStringPrettyFormatter` has historically been considered a utility for `isXmlEqualTo(CharSequence)` rather than a feature for AssertJ users, so it is deprecated in version 3.27.7 and removed in version 4.0, with no replacement.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
Impacted products
Vendor Product Version
assertj assertj Affected: >= 1.4.0, < 3.27.7
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-24400",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-27T21:36:16.298177Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-27T21:36:26.716Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "assertj",
          "vendor": "assertj",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.4.0, \u003c 3.27.7"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "AssertJ provides Fluent testing assertions for Java and the Java Virtual Machine (JVM). Starting in version 1.4.0 and prior to version 3.27.7, an XML External Entity (XXE) vulnerability exists in `org.assertj.core.util.xml.XmlStringPrettyFormatter`: the `toXmlDocument(String)` method initializes `DocumentBuilderFactory` with default settings, without disabling DTDs or external entities. This formatter is used by the `isXmlEqualTo(CharSequence)` assertion for `CharSequence` values. An application is vulnerable only when it uses untrusted XML input with either `isXmlEqualTo(CharSequence)` from `org.assertj.core.api.AbstractCharSequenceAssert` or `xmlPrettyFormat(String)` from `org.assertj.core.util.xml.XmlStringPrettyFormatter`. If untrusted XML input is processed by tone of these methods, an attacker couldnread arbitrary local files via `file://` URIs (e.g., `/etc/passwd`, application configuration files); perform Server-Side Request Forgery (SSRF) via HTTP/HTTPS URIs, and/or cause Denial of Service via \"Billion Laughs\" entity expansion attacks. `isXmlEqualTo(CharSequence)` has been deprecated in favor of XMLUnit in version 3.18.0 and will be removed in version 4.0. Users of affected versions should, in order of preference: replace `isXmlEqualTo(CharSequence)` with XMLUnit, upgrade to version 3.27.7, or avoid using `isXmlEqualTo(CharSequence)` or `XmlStringPrettyFormatter` with untrusted input. `XmlStringPrettyFormatter` has historically been considered a utility for `isXmlEqualTo(CharSequence)` rather than a feature for AssertJ users, so it is deprecated in version 3.27.7 and removed in version 4.0, with no replacement."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:H/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-611",
              "description": "CWE-611: Improper Restriction of XML External Entity Reference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-26T22:19:02.161Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/assertj/assertj/security/advisories/GHSA-rqfh-9r24-8c9r",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/assertj/assertj/security/advisories/GHSA-rqfh-9r24-8c9r"
        },
        {
          "name": "https://github.com/assertj/assertj/commit/85ca7eb6609bb179c043b85ae7d290523b1ba79a",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/assertj/assertj/commit/85ca7eb6609bb179c043b85ae7d290523b1ba79a"
        },
        {
          "name": "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html"
        },
        {
          "name": "https://github.com/assertj/assertj/releases/tag/assertj-build-3.27.7",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/assertj/assertj/releases/tag/assertj-build-3.27.7"
        }
      ],
      "source": {
        "advisory": "GHSA-rqfh-9r24-8c9r",
        "discovery": "UNKNOWN"
      },
      "title": "AssertJ has XML External Entity (XXE) vulnerability when parsing untrusted XML via isXmlEqualTo assertion"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-24400",
    "datePublished": "2026-01-26T22:19:02.161Z",
    "dateReserved": "2026-01-22T18:19:49.172Z",
    "dateUpdated": "2026-01-27T21:36:26.716Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Mitigation
Implementation System Configuration

Many XML parsers and validators can be configured to disable external entity expansion.

CAPEC-221: Data Serialization External Entities Blowup

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.