CWE-91
XML Injection (aka Blind XPath Injection)
The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.
CVE-2025-7473 (GCVE-0-2025-7473)
Vulnerability from cvelistv5 – Published: 2025-10-21 10:58 – Updated: 2025-10-21 13:24
VLAI
Title
XML Injection
Summary
Zohocorp ManageEngine EndPoint Central versions 11.4.2516.1 and prior are vulnerable to XML Injection.
Severity
5.2 (Medium)
CWE
- CWE-91 - XML Injection (aka Blind XPath Injection)
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Zohocorp | Endpoint Central |
Affected:
0 , ≤ 11.4.2516.1
(11.4.2516.1)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-7473",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-21T13:24:23.990497Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T13:24:38.046Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Endpoint Central",
"vendor": "Zohocorp",
"versions": [
{
"lessThanOrEqual": "11.4.2516.1",
"status": "affected",
"version": "0",
"versionType": "11.4.2516.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Zohocorp ManageEngine EndPoint Central versions\u0026nbsp;11.4.2516.1 and prior are vulnerable to XML Injection."
}
],
"value": "Zohocorp ManageEngine EndPoint Central versions\u00a011.4.2516.1 and prior are vulnerable to XML Injection."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 5.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-91",
"description": "CWE-91 XML Injection (aka Blind XPath Injection)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T10:58:47.949Z",
"orgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"shortName": "Zohocorp"
},
"references": [
{
"url": "https://www.manageengine.com/products/desktop-central/parsing-xml-data.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "XML Injection",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"assignerShortName": "Zohocorp",
"cveId": "CVE-2025-7473",
"datePublished": "2025-10-21T10:58:47.949Z",
"dateReserved": "2025-07-11T12:34:38.612Z",
"dateUpdated": "2025-10-21T13:24:38.046Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-9375 (GCVE-0-2025-9375)
Vulnerability from cvelistv5 – Published: 2025-09-01 16:43 – Updated: 2026-04-20 21:45 Disputed
VLAI
Title
xmltodict 0.14.2 - XML Injection
Summary
XML Injection vulnerability in xmltodict allows Input Data Manipulation.
This issue affects xmltodict: from 0.14.2 before 0.15.1.
NOTE: the scope of this CVE is disputed by the vendor on the grounds that xmltodict.unparse() delegates element-name handling to Python's xml.sax.saxutils.XMLGenerator, and that XMLGenerator should be the component performing validation.
Severity
CWE
- CWE-91 - XML Injection (aka Blind XPath Injection)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://fluidattacks.com/advisories/mono | third-party-advisory |
| https://github.com/martinblech/xmltodict | product |
| https://github.com/martinblech/xmltodict/blob/v0.… | patchrelease-notes |
| https://github.com/martinblech/xmltodict/commit/f… | patch |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9375",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-11T15:16:00.971499Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-11T15:16:13.844Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-09-05T01:47:50.016Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://github.com/martinblech/xmltodict/issues/377#issuecomment-3255691923"
},
{
"url": "https://docs.python.org/3/library/xml.sax.utils.html#xml.sax.saxutils.escape"
},
{
"url": "https://docs.python.org/3/library/xml.sax.utils.html#xml.sax.saxutils.XMLGenerator"
}
],
"title": "CVE Program Container",
"x_generator": {
"engine": "ADPogram 0.0.1"
}
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "xmltodict",
"platforms": [
"MacOS",
"Linux",
"Windows"
],
"product": "xmltodict",
"vendor": "xmltodict",
"versions": [
{
"lessThan": "0.15.1",
"status": "affected",
"version": "0.14.2",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:xmltodict:xmltodict:*:*:macos:*:*:*:*:*",
"versionEndExcluding": "0.15.1",
"versionStartIncluding": "0.14.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:xmltodict:xmltodict:*:*:linux:*:*:*:*:*",
"versionEndExcluding": "0.15.1",
"versionStartIncluding": "0.14.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:xmltodict:xmltodict:*:*:windows:*:*:*:*:*",
"versionEndExcluding": "0.15.1",
"versionStartIncluding": "0.14.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan\u003eXML Injection vulnerability in xmltodict allows Input Data Manipulation.\u003cbr\u003e\u003c/span\u003e\u003cp\u003eThis issue affects xmltodict: from 0.14.2 before 0.15.1.\u003cbr\u003e\u003cbr\u003eNOTE: the scope of this CVE is disputed by the vendor on the grounds that xmltodict.unparse() delegates element-name handling to Python\u0027s xml.sax.saxutils.XMLGenerator, and that XMLGenerator should be the component performing validation.\u003c/p\u003e"
}
],
"value": "XML Injection vulnerability in xmltodict allows Input Data Manipulation.\nThis issue affects xmltodict: from 0.14.2 before 0.15.1.\n\nNOTE: the scope of this CVE is disputed by the vendor on the grounds that xmltodict.unparse() delegates element-name handling to Python\u0027s xml.sax.saxutils.XMLGenerator, and that XMLGenerator should be the component performing validation."
}
],
"impacts": [
{
"capecId": "CAPEC-153",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-153 Input Data Manipulation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-91",
"description": "CWE-91 XML Injection (aka Blind XPath Injection)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T21:45:55.337Z",
"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"shortName": "Fluid Attacks"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://fluidattacks.com/advisories/mono"
},
{
"tags": [
"product"
],
"url": "https://github.com/martinblech/xmltodict"
},
{
"tags": [
"patch",
"release-notes"
],
"url": "https://github.com/martinblech/xmltodict/blob/v0.15.1/CHANGELOG.md"
},
{
"tags": [
"patch"
],
"url": "https://github.com/martinblech/xmltodict/commit/f98c90f071228ed73df997807298e1df4f790c33"
}
],
"source": {
"discovery": "UNKNOWN"
},
"tags": [
"disputed"
],
"title": "xmltodict 0.14.2 - XML Injection",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"assignerShortName": "Fluid Attacks",
"cveId": "CVE-2025-9375",
"datePublished": "2025-09-01T16:43:18.220Z",
"dateReserved": "2025-08-22T22:03:47.627Z",
"dateUpdated": "2026-04-20T21:45:55.337Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1554 (GCVE-0-2026-1554)
Vulnerability from cvelistv5 – Published: 2026-02-04 20:26 – Updated: 2026-02-05 15:15
VLAI
Title
Central Authentication System (CAS) Server - Less critical - XML Element Injection - SA-CONTRIB-2026-007
Summary
XML Injection (aka Blind XPath Injection) vulnerability in Drupal Central Authentication System (CAS) Server allows Privilege Escalation.This issue affects Central Authentication System (CAS) Server: from 0.0.0 before 2.0.3, from 2.1.0 before 2.1.2.
Severity
4.2 (Medium)
CWE
- CWE-91 - XML Injection (aka Blind XPath Injection)
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Central Authentication System (CAS) Server |
Affected:
0.0.0 , < 2.0.3
(semver)
Affected: 2.1.0 , < 2.1.2 (semver) |
Date Public
2026-01-28 17:29
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-1554",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-05T15:14:46.442485Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-05T15:15:29.323Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/cas_server",
"defaultStatus": "unaffected",
"product": "Central Authentication System (CAS) Server",
"repo": "https://git.drupalcode.org/project/cas_server",
"vendor": "Drupal",
"versions": [
{
"lessThan": "2.0.3",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "2.1.2",
"status": "affected",
"version": "2.1.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ga\u00c3\u00abl Gosset (ga\u00c3\u00ablg)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Ted Cooper (elc)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Ga\u00c3\u00abl Gosset (ga\u00c3\u00ablg)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jaap Jansma (jaapjansma)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2026-01-28T17:29:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "XML Injection (aka Blind XPath Injection) vulnerability in Drupal Central Authentication System (CAS) Server allows Privilege Escalation.\u003cp\u003eThis issue affects Central Authentication System (CAS) Server: from 0.0.0 before 2.0.3, from 2.1.0 before 2.1.2.\u003c/p\u003e"
}
],
"value": "XML Injection (aka Blind XPath Injection) vulnerability in Drupal Central Authentication System (CAS) Server allows Privilege Escalation.This issue affects Central Authentication System (CAS) Server: from 0.0.0 before 2.0.3, from 2.1.0 before 2.1.2."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-91",
"description": "CWE-91 XML Injection (aka Blind XPath Injection)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T20:26:38.850Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-007"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Central Authentication System (CAS) Server - Less critical - XML Element Injection - SA-CONTRIB-2026-007",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-1554",
"datePublished": "2026-02-04T20:26:38.850Z",
"dateReserved": "2026-01-28T17:01:09.595Z",
"dateUpdated": "2026-02-05T15:15:29.323Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27693 (GCVE-0-2026-27693)
Vulnerability from cvelistv5 – Published: 2026-05-05 12:17 – Updated: 2026-05-06 12:43
VLAI
Title
traccar allows XML injection in KML and GPX exports
Summary
Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the KML and GPX export functionality writes device names to XML output without proper escaping. An attacker with low privileges can create a device with a crafted name that injects XML content into exported files. If another user exports and opens the affected KML or GPX file, this can corrupt the file structure and spoof exported location data. This issue is fixed in version 6.13.0.
Severity
5.4 (Medium)
CWE
- CWE-91 - XML Injection (aka Blind XPath Injection)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/traccar/traccar/security/advis… | x_refsource_CONFIRM |
| https://github.com/traccar/traccar/blob/v6.11.0/s… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27693",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-06T12:43:06.299961Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-06T12:43:31.211Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/traccar/traccar/security/advisories/GHSA-32pj-vrqc-x656"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "traccar",
"vendor": "traccar",
"versions": [
{
"status": "affected",
"version": "\u003e= 6.11.1, \u003c 6.13.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the KML and GPX export functionality writes device names to XML output without proper escaping. An attacker with low privileges can create a device with a crafted name that injects XML content into exported files. If another user exports and opens the affected KML or GPX file, this can corrupt the file structure and spoof exported location data. This issue is fixed in version 6.13.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-91",
"description": "CWE-91: XML Injection (aka Blind XPath Injection)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-05T12:17:34.300Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/traccar/traccar/security/advisories/GHSA-32pj-vrqc-x656",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/traccar/traccar/security/advisories/GHSA-32pj-vrqc-x656"
},
{
"name": "https://github.com/traccar/traccar/blob/v6.11.0/src/main/java/org/traccar/reports/GpxExportProvider.java#L52-L54",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/traccar/traccar/blob/v6.11.0/src/main/java/org/traccar/reports/GpxExportProvider.java#L52-L54"
}
],
"source": {
"advisory": "GHSA-32pj-vrqc-x656",
"discovery": "UNKNOWN"
},
"title": "traccar allows XML injection in KML and GPX exports"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27693",
"datePublished": "2026-05-05T12:17:07.898Z",
"dateReserved": "2026-02-23T17:56:51.202Z",
"dateUpdated": "2026-05-06T12:43:31.211Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-28770 (GCVE-0-2026-28770)
Vulnerability from cvelistv5 – Published: 2026-03-04 07:06 – Updated: 2026-03-05 06:01
VLAI
Title
XML injection In /IDC_Logging/checkifdone.cgi Endpoint On IDC SFX Web Management Interface Version 101
Summary
Improper neutralization of special elements in the /IDC_Logging/checkifdone.cgi script in International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver Web management Interface version 101 allows for XML Injection. The application reflects un-sanitized user input from the `file` parameter directly into a CDATA block, allowing an authenticated attacker to break out of the tags and inject arbitrary XML elements. An actor is confirmed to be able to turn this into an reflected XSS but further abuse such as XXE may be possible
Severity
CWE
- CWE-91 - XML Injection (aka Blind XPath Injection)
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| International Datacasting Corporation (IDC) | SFX Series SuperFlex Satellite Receiver Web management interface |
Affected:
101
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28770",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-04T16:02:39.004959Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-04T16:03:20.356Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "SFX Series SuperFlex Satellite Receiver Web management interface",
"vendor": "International Datacasting Corporation (IDC)",
"versions": [
{
"status": "affected",
"version": "101"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Abdul Mhanni"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper neutralization of special elements in the /IDC_Logging/checkifdone.cgi script in International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver Web management Interface version 101 allows for XML Injection. The application reflects un-sanitized user input from the `file` parameter directly into a CDATA block, allowing an authenticated attacker to break out of the tags and inject arbitrary XML elements. An actor is confirmed to be able to turn this into an reflected XSS but further abuse such as XXE may be possible"
}
],
"value": "Improper neutralization of special elements in the /IDC_Logging/checkifdone.cgi script in International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver Web management Interface version 101 allows for XML Injection. The application reflects un-sanitized user input from the `file` parameter directly into a CDATA block, allowing an authenticated attacker to break out of the tags and inject arbitrary XML elements. An actor is confirmed to be able to turn this into an reflected XSS but further abuse such as XXE may be possible"
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "XML External Entity (XXE) / Data Manipulation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-91",
"description": "CWE-91: XML Injection (aka Blind XPath Injection)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-05T06:01:02.877Z",
"orgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
"shortName": "Gridware"
},
"references": [
{
"url": "https://www.abdulmhsblog.com/posts/sfx2100-vulns/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "XML injection In /IDC_Logging/checkifdone.cgi Endpoint On IDC SFX Web Management Interface Version 101",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
"assignerShortName": "Gridware",
"cveId": "CVE-2026-28770",
"datePublished": "2026-03-04T07:06:35.477Z",
"dateReserved": "2026-03-03T09:59:08.426Z",
"dateUpdated": "2026-03-05T06:01:02.877Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32870 (GCVE-0-2026-32870)
Vulnerability from cvelistv5 – Published: 2026-04-24 00:19 – Updated: 2026-04-24 16:30
VLAI
Title
Kirby has XML injection in its XML creator toolkit
Summary
Kirby is an open-source content management system. Kirby's `Xml::value()` method has special handling for `<![CDATA[ ]]>` blocks. If the input value is already valid `CDATA`, it is not escaped a second time but allowed to pass through. However, prior to versions 4.9.0 and 5.4.0, it was possible to trick this check into allowing values that only contained a valid `CDATA` block but also contained other structured data outside of the `CDATA` block. This structured data would then also be allowed to pass through, circumventing the value protection. The `Xml::value()` method is used in `Xml::tag()`, `Xml::create()` and in the `Xml` data handler (e.g. `Data::encode($string, 'xml')`). Both the vulnerable methods and the data handler are not used in the Kirby core. However they may be used in site or plugin code, e.g. to create XML strings from input data. If those generated files are passed to another implementation that assigns specific meaning to the XML schema, manipulation of this system's behavior is possible. Kirby sites that don't use XML generation in site or plugin code are not affected. The problem has been patched in Kirby 4.9.0 and Kirby 5.4.0. In all of the mentioned releases, Kirby has added additional checks that only allow unchanged `CDATA` passthrough if the entire string is made up of valid `CDATA` blocks and no structured data. This protects all uses of the method against the described vulnerability.
Severity
CWE
- CWE-91 - XML Injection (aka Blind XPath Injection)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/getkirby/kirby/security/adviso… | x_refsource_CONFIRM |
| https://github.com/getkirby/kirby/releases/tag/4.9.0 | x_refsource_MISC |
| https://github.com/getkirby/kirby/releases/tag/5.4.0 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32870",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-24T16:29:59.845471Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T16:30:09.611Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "kirby",
"vendor": "getkirby",
"versions": [
{
"status": "affected",
"version": "\u003c 4.9.0"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.4.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Kirby is an open-source content management system. Kirby\u0027s `Xml::value()` method has special handling for `\u003c![CDATA[ ]]\u003e` blocks. If the input value is already valid `CDATA`, it is not escaped a second time but allowed to pass through. However, prior to versions 4.9.0 and 5.4.0, it was possible to trick this check into allowing values that only contained a valid `CDATA` block but also contained other structured data outside of the `CDATA` block. This structured data would then also be allowed to pass through, circumventing the value protection. The `Xml::value()` method is used in `Xml::tag()`, `Xml::create()` and in the `Xml` data handler (e.g. `Data::encode($string, \u0027xml\u0027)`). Both the vulnerable methods and the data handler are not used in the Kirby core. However they may be used in site or plugin code, e.g. to create XML strings from input data. If those generated files are passed to another implementation that assigns specific meaning to the XML schema, manipulation of this system\u0027s behavior is possible. Kirby sites that don\u0027t use XML generation in site or plugin code are not affected. The problem has been patched in Kirby 4.9.0 and Kirby 5.4.0. In all of the mentioned releases, Kirby has added additional checks that only allow unchanged `CDATA` passthrough if the entire string is made up of valid `CDATA` blocks and no structured data. This protects all uses of the method against the described vulnerability."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-91",
"description": "CWE-91: XML Injection (aka Blind XPath Injection)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T00:19:13.544Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/getkirby/kirby/security/advisories/GHSA-9wfj-c55w-j9qr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/getkirby/kirby/security/advisories/GHSA-9wfj-c55w-j9qr"
},
{
"name": "https://github.com/getkirby/kirby/releases/tag/4.9.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/getkirby/kirby/releases/tag/4.9.0"
},
{
"name": "https://github.com/getkirby/kirby/releases/tag/5.4.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/getkirby/kirby/releases/tag/5.4.0"
}
],
"source": {
"advisory": "GHSA-9wfj-c55w-j9qr",
"discovery": "UNKNOWN"
},
"title": "Kirby has XML injection in its XML creator toolkit"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-32870",
"datePublished": "2026-04-24T00:19:13.544Z",
"dateReserved": "2026-03-16T21:03:44.419Z",
"dateUpdated": "2026-04-24T16:30:09.611Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34601 (GCVE-0-2026-34601)
Vulnerability from cvelistv5 – Published: 2026-04-02 17:47 – Updated: 2026-04-03 16:03
VLAI
Title
xmldom: XML injection via unsafe CDATA serialization allows attacker-controlled markup insertion
Summary
xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In xmldom versions 0.6.0 and prior and @xmldom/xmldom prior to versions 0.8.12 and 0.9.9, xmldom/xmldom allows attacker-controlled strings containing the CDATA terminator ]]> to be inserted into a CDATASection node. During serialization, XMLSerializer emitted the CDATA content verbatim without rejecting or safely splitting the terminator. As a result, data intended to remain text-only became active XML markup in the serialized output, enabling XML structure injection and downstream business-logic manipulation. This issue has been patched in xmldom version 0.6.0 and @xmldom/xmldom versions 0.8.12 and 0.9.9.
Severity
7.5 (High)
CWE
- CWE-91 - XML Injection (aka Blind XPath Injection)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/xmldom/xmldom/security/advisor… | x_refsource_CONFIRM |
| https://github.com/xmldom/xmldom/commit/2b852e836… | x_refsource_MISC |
| https://github.com/xmldom/xmldom/releases/tag/0.8.12 | x_refsource_MISC |
| https://github.com/xmldom/xmldom/releases/tag/0.9.9 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34601",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-03T16:02:29.353065Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T16:03:21.485Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-wh4c-j3r5-mjhp"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "xmldom",
"vendor": "xmldom",
"versions": [
{
"status": "affected",
"version": "xmldom \u003c= 0.6.0"
},
{
"status": "affected",
"version": "@xmldom/xmldom \u003c 0.8.12"
},
{
"status": "affected",
"version": "@xmldom/xmldom \u003e= 0.9.0, \u003c 0.9.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In xmldom versions 0.6.0 and prior and @xmldom/xmldom prior to versions 0.8.12 and 0.9.9, xmldom/xmldom allows attacker-controlled strings containing the CDATA terminator ]]\u003e to be inserted into a CDATASection node. During serialization, XMLSerializer emitted the CDATA content verbatim without rejecting or safely splitting the terminator. As a result, data intended to remain text-only became active XML markup in the serialized output, enabling XML structure injection and downstream business-logic manipulation. This issue has been patched in xmldom version 0.6.0 and @xmldom/xmldom versions 0.8.12 and 0.9.9."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-91",
"description": "CWE-91: XML Injection (aka Blind XPath Injection)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T17:47:13.209Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xmldom/xmldom/security/advisories/GHSA-wh4c-j3r5-mjhp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-wh4c-j3r5-mjhp"
},
{
"name": "https://github.com/xmldom/xmldom/commit/2b852e836ab86dbbd6cbaf0537f584dd0b5ac184",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xmldom/xmldom/commit/2b852e836ab86dbbd6cbaf0537f584dd0b5ac184"
},
{
"name": "https://github.com/xmldom/xmldom/releases/tag/0.8.12",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xmldom/xmldom/releases/tag/0.8.12"
},
{
"name": "https://github.com/xmldom/xmldom/releases/tag/0.9.9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xmldom/xmldom/releases/tag/0.9.9"
}
],
"source": {
"advisory": "GHSA-wh4c-j3r5-mjhp",
"discovery": "UNKNOWN"
},
"title": "xmldom: XML injection via unsafe CDATA serialization allows attacker-controlled markup insertion"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34601",
"datePublished": "2026-04-02T17:47:13.209Z",
"dateReserved": "2026-03-30T17:15:52.500Z",
"dateUpdated": "2026-04-03T16:03:21.485Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40165 (GCVE-0-2026-40165)
Vulnerability from cvelistv5 – Published: 2026-05-20 23:35 – Updated: 2026-05-21 14:13
VLAI
Title
authentik: SAML NameID XML Comment Injection Enables Authentication Bypass via Identifier Truncation
Summary
authentik is an open-source identity provider. Versions 2025.12.4 and prior, and versions 2026.2.0-rc1 through 2026.2.2 were vulnerable to Authentication Bypass through SAML NameID XML Comment Injection. Due to how authentik extracted the NameID value from a SAML assertion, it was possible for an attacker to trick authentik into only seeing a part of the NameID value, potentially allowing an attacker to gain access to other accounts. This issue could be exploited on an authentik instance with a SAML Source, where the attacker had an account on the SAML Source and the ability to modify their NameID value (commonly username or E-mail), and XML Signing was enabled. The attacker could modify the SAML assertion given to authentik by injecting a comment within the NameID value, which effectively truncated the NameID value to the snippet before the comment, and gave the attacker access to any user account. This issue has been fixed in versions 2025.12.5 and 2026.2.3.
Severity
8.7 (High)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/goauthentik/authentik/security… | x_refsource_CONFIRM |
| https://github.com/goauthentik/authentik/commit/4… | x_refsource_MISC |
| https://github.com/goauthentik/authentik/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| goauthentik | authentik |
Affected:
< 2025.12.5
Affected: >= 2026.2.0-rc1, < 2026.2.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40165",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-21T14:13:10.961177Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T14:13:20.329Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "authentik",
"vendor": "goauthentik",
"versions": [
{
"status": "affected",
"version": "\u003c 2025.12.5"
},
{
"status": "affected",
"version": "\u003e= 2026.2.0-rc1, \u003c 2026.2.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "authentik is an open-source identity provider. Versions 2025.12.4 and prior, and versions 2026.2.0-rc1 through 2026.2.2 were vulnerable to Authentication Bypass through SAML NameID XML Comment Injection. Due to how authentik extracted the NameID value from a SAML assertion, it was possible for an attacker to trick authentik into only seeing a part of the NameID value, potentially allowing an attacker to gain access to other accounts. This issue could be exploited on an authentik instance with a SAML Source, where the attacker had an account on the SAML Source and the ability to modify their NameID value (commonly username or E-mail), and XML Signing was enabled. The attacker could modify the SAML assertion given to authentik by injecting a comment within the NameID value, which effectively truncated the NameID value to the snippet before the comment, and gave the attacker access to any user account. This issue has been fixed in versions 2025.12.5 and 2026.2.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-91",
"description": "CWE-91: XML Injection (aka Blind XPath Injection)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-436",
"description": "CWE-436: Interpretation Conflict",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T23:35:18.309Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-9wj8-xv4r-qwrp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-9wj8-xv4r-qwrp"
},
{
"name": "https://github.com/goauthentik/authentik/commit/47dec5c6b7fb4a62bfad2ae8bddf002bde7ba774",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goauthentik/authentik/commit/47dec5c6b7fb4a62bfad2ae8bddf002bde7ba774"
},
{
"name": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.12.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goauthentik/authentik/releases/tag/version%2F2025.12.5"
}
],
"source": {
"advisory": "GHSA-9wj8-xv4r-qwrp",
"discovery": "UNKNOWN"
},
"title": "authentik: SAML NameID XML Comment Injection Enables Authentication Bypass via Identifier Truncation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40165",
"datePublished": "2026-05-20T23:35:18.309Z",
"dateReserved": "2026-04-09T19:31:56.014Z",
"dateUpdated": "2026-05-21T14:13:20.329Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41650 (GCVE-0-2026-41650)
Vulnerability from cvelistv5 – Published: 2026-05-07 13:36 – Updated: 2026-05-07 15:08
VLAI
Title
fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters
Summary
fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Prior to version 5.7.0, XMLBuilder does not escape the "-->" sequence in comment content or the "]]>" sequence in CDATA sections when building XML from JavaScript objects. This allows XML injection when user-controlled data flows into comments or CDATA elements, leading to XSS, SOAP injection, or data manipulation. This issue has been patched in version 5.7.0.
Severity
6.1 (Medium)
CWE
- CWE-91 - XML Injection (aka Blind XPath Injection)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/NaturalIntelligence/fast-xml-p… | x_refsource_CONFIRM |
| https://github.com/NaturalIntelligence/fast-xml-p… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| NaturalIntelligence | fast-xml-parser |
Affected:
< 5.7.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41650",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-07T15:08:09.204375Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T15:08:36.208Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-gh4j-gqv2-49f6"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fast-xml-parser",
"vendor": "NaturalIntelligence",
"versions": [
{
"status": "affected",
"version": "\u003c 5.7.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Prior to version 5.7.0, XMLBuilder does not escape the \"--\u003e\" sequence in comment content or the \"]]\u003e\" sequence in CDATA sections when building XML from JavaScript objects. This allows XML injection when user-controlled data flows into comments or CDATA elements, leading to XSS, SOAP injection, or data manipulation. This issue has been patched in version 5.7.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-91",
"description": "CWE-91: XML Injection (aka Blind XPath Injection)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T13:36:55.871Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-gh4j-gqv2-49f6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-gh4j-gqv2-49f6"
},
{
"name": "https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.6.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.6.0"
}
],
"source": {
"advisory": "GHSA-gh4j-gqv2-49f6",
"discovery": "UNKNOWN"
},
"title": "fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41650",
"datePublished": "2026-05-07T13:36:55.871Z",
"dateReserved": "2026-04-21T23:58:43.802Z",
"dateUpdated": "2026-05-07T15:08:36.208Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41672 (GCVE-0-2026-41672)
Vulnerability from cvelistv5 – Published: 2026-05-07 03:36 – Updated: 2026-05-07 14:58
VLAI
Title
xmldom: XML node injection through unvalidated comment serialization
Summary
xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled comment content to be serialized into XML without validating or neutralizing comment-breaking sequences. As a result, an attacker can terminate the comment early and inject arbitrary XML nodes into the serialized output. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.
Severity
CWE
- CWE-91 - XML Injection (aka Blind XPath Injection)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://github.com/xmldom/xmldom/security/advisor… | x_refsource_CONFIRM |
| https://github.com/xmldom/xmldom/pull/987 | x_refsource_MISC |
| https://github.com/xmldom/xmldom/commit/b39754088… | x_refsource_MISC |
| https://github.com/xmldom/xmldom/commit/fda7cc313… | x_refsource_MISC |
| https://github.com/xmldom/xmldom/releases/tag/0.8.13 | x_refsource_MISC |
| https://github.com/xmldom/xmldom/releases/tag/0.9.10 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41672",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-07T14:11:04.312092Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T14:58:08.512Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-j759-j44w-7fr8"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "xmldom",
"vendor": "xmldom",
"versions": [
{
"status": "affected",
"version": "xmldom \u003c= 0.6.0"
},
{
"status": "affected",
"version": "@xmldom/xmldom \u003e= 0.9.0, \u003c 0.9.10"
},
{
"status": "affected",
"version": "@xmldom/xmldom \u003c 0.8.13"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled comment content to be serialized into XML without validating or neutralizing comment-breaking sequences. As a result, an attacker can terminate the comment early and inject arbitrary XML nodes into the serialized output. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-91",
"description": "CWE-91: XML Injection (aka Blind XPath Injection)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T03:36:16.914Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xmldom/xmldom/security/advisories/GHSA-j759-j44w-7fr8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-j759-j44w-7fr8"
},
{
"name": "https://github.com/xmldom/xmldom/pull/987",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xmldom/xmldom/pull/987"
},
{
"name": "https://github.com/xmldom/xmldom/commit/b397540889086da868c30c366ad5c220d1a750c7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xmldom/xmldom/commit/b397540889086da868c30c366ad5c220d1a750c7"
},
{
"name": "https://github.com/xmldom/xmldom/commit/fda7cc313de30243fea35cada64e0bb12099c2a1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xmldom/xmldom/commit/fda7cc313de30243fea35cada64e0bb12099c2a1"
},
{
"name": "https://github.com/xmldom/xmldom/releases/tag/0.8.13",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xmldom/xmldom/releases/tag/0.8.13"
},
{
"name": "https://github.com/xmldom/xmldom/releases/tag/0.9.10",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xmldom/xmldom/releases/tag/0.9.10"
}
],
"source": {
"advisory": "GHSA-j759-j44w-7fr8",
"discovery": "UNKNOWN"
},
"title": "xmldom: XML node injection through unvalidated comment serialization"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41672",
"datePublished": "2026-05-07T03:36:16.914Z",
"dateReserved": "2026-04-22T03:53:24.405Z",
"dateUpdated": "2026-05-07T14:58:08.512Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation ID: MIT-5
Phase: Implementation
Strategy: Input Validation
Description:
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
CAPEC-250: XML Injection
An attacker utilizes crafted XML user-controllable input to probe, attack, and inject data into the XML database, using techniques similar to SQL injection. The user-controllable input can allow for unauthorized viewing of data, bypassing authentication or the front-end application for direct XML database access, and possibly altering database information.
CAPEC-83: XPath Injection
An attacker can craft special user-controllable input consisting of XPath expressions to inject the XML database and bypass authentication or glean information that they normally would not be able to. XPath Injection enables an attacker to talk directly to the XML database, thus bypassing the application completely. XPath Injection results from the failure of an application to properly sanitize input used as part of dynamic XPath expressions used to query an XML database.