Improper Restriction of XML External Entity Reference in Netcad Software NetGIS (CVE-2026-8396)
A critical XML External Entity (XXE) vulnerability, CVE-2026-8396, in Netcad Software Inc.'s NetGIS allows unauthenticated remote attackers to perform serialized data external linking, potentially leading to sensitive information disclosure or server-side request forgery.
An improper restriction of XML external entity reference (XXE) vulnerability, tracked as CVE-2026-8396, has been identified in Netcad Software Inc.'s NetGIS application. This vulnerability affects versions from 5.0.66 up to, but not including, 7.2.2. The flaw allows for "Serialized Data External Linking," where an attacker can supply specially crafted XML input that causes the application to parse and include external content, potentially from local files or remote servers. This can lead to sensitive information disclosure or server-side request forgery (SSRF), with a CVSS v3.1 base score of 7.5 (High). This vulnerability poses a significant risk to organizations using affected NetGIS versions, as it can allow unauthenticated access to internal system information.
Attack Chain
- An unauthenticated attacker identifies a public-facing instance of Netcad NetGIS running an affected version (5.0.66 through 7.2.1).
- The attacker identifies application endpoints within NetGIS that accept XML input through HTTP requests.
- The attacker crafts a malicious XML document that includes an external entity (XXE) declaration configured to retrieve sensitive content from the target system, such as
/etc/passwdor system configuration files. - The attacker sends this specially crafted XML document within an HTTP POST request to the vulnerable NetGIS endpoint.
- The NetGIS application's XML parser processes the input, and due to the improper restriction of XML external entity references (CWE-611), it resolves the declared external entity.
- The content of the specified local file or external resource is then fetched by the NetGIS application and embedded into the XML parser's output.
- The NetGIS application's response, which may include an error message or a processed XML document, inadvertently contains the sensitive data fetched by the external entity.
- The attacker receives and parses the application's response to extract the exfiltrated sensitive information, leading to data exposure.
Impact
The successful exploitation of CVE-2026-8396 can lead to the unauthorized disclosure of sensitive information from the underlying server or its internal network. Attackers can leverage this vulnerability to read arbitrary files on the system, potentially including configuration files, source code, or credentials, which could facilitate further compromise. While specific victim counts are not available, any organization utilizing vulnerable Netcad NetGIS versions could be at risk. The impact extends beyond simple data leakage, as XXE can sometimes be chained with other vulnerabilities to achieve remote code execution or used for network reconnaissance within the target's internal infrastructure by performing server-side request forgery.
Recommendation
- Patch CVE-2026-8396 immediately by upgrading Netcad NetGIS to version 7.2.2 or higher.
- Review web server access logs and application logs for unusual HTTP POST requests containing XML content that may indicate attempts to exploit XML external entity vulnerabilities.