CPE
An incomplete fix for CVE-2026-40882 in OpenRemote's KNXProtocol module (specifically in versions <= 1.24.1 of the agent module) allows authenticated users to perform an XML External Entity (XXE) injection, enabling arbitrary file read from the server's filesystem, including sensitive configuration files and potentially leading to server-side request forgery (SSRF) against cloud metadata endpoints or internal services, without requiring administrator access.