{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/xml/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-33908"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["dos","imagemagick","xml","cve-2026-33908"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eImageMagick is a widely used open-source software suite for displaying, converting, and editing raster image and vector image files. A critical vulnerability, identified as CVE-2026-33908, affects versions before 7.1.2-19 and 6.9.13-44. This vulnerability stems from the lack of depth limit during recursive processing of XML files via the \u003ccode\u003eDestroyXMLTree()\u003c/code\u003e function. An attacker can exploit this by crafting a malicious XML file with deeply nested structures. When ImageMagick parses this file, the recursive function exhausts stack memory, leading to a denial-of-service condition. Successful exploitation can disrupt services relying on ImageMagick, impacting image processing workflows. The vulnerability was addressed in versions 6.9.13-44 and 7.1.2-19.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious XML file with deeply nested elements.\u003c/li\u003e\n\u003cli\u003eThe attacker delivers the crafted XML file to a system running a vulnerable version of ImageMagick (e.g., via upload, network share, or email attachment).\u003c/li\u003e\n\u003cli\u003eA user or automated process triggers ImageMagick to process the malicious XML file using command-line tools such as \u003ccode\u003econvert\u003c/code\u003e or through a web application using an ImageMagick library.\u003c/li\u003e\n\u003cli\u003eImageMagick begins parsing the XML file and calls the \u003ccode\u003eDestroyXMLTree()\u003c/code\u003e function to free memory.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eDestroyXMLTree()\u003c/code\u003e function recursively traverses the XML tree without a depth limit.\u003c/li\u003e\n\u003cli\u003eDue to the deeply nested structure, the recursive calls consume excessive stack memory.\u003c/li\u003e\n\u003cli\u003eStack memory is exhausted, leading to a stack overflow.\u003c/li\u003e\n\u003cli\u003eThe ImageMagick process crashes, resulting in a denial-of-service condition.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33908 leads to a denial-of-service condition on the affected system. Services relying on ImageMagick for image processing become unavailable, potentially disrupting critical workflows. The CVSS v3.1 base score for this vulnerability is 7.5, indicating a high potential impact on system availability. The number of affected systems depends on the prevalence of vulnerable ImageMagick versions within an organization\u0026rsquo;s infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade ImageMagick to version 7.1.2-19 or 6.9.13-44 or later to remediate CVE-2026-33908.\u003c/li\u003e\n\u003cli\u003eImplement file size limits and input validation for XML files processed by ImageMagick to mitigate the risk of malicious file uploads.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eImageMagick_XML_Crash\u003c/code\u003e to detect potential exploitation attempts by monitoring for ImageMagick process crashes.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual patterns of requests with large XML file uploads to identify potential attackers.\u003c/li\u003e\n\u003cli\u003eEnable process crash reporting on systems running ImageMagick to facilitate incident response and investigation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-13T22:18:02Z","date_published":"2026-04-13T22:18:02Z","id":"/briefs/2026-04-imagemagick-dos/","summary":"ImageMagick versions prior to 7.1.2-19 and 6.9.13-44 are susceptible to a denial-of-service (DoS) attack due to unbounded recursion during XML parsing, potentially leading to stack exhaustion.","title":"ImageMagick XML Bomb Denial-of-Service Vulnerability (CVE-2026-33908)","url":"https://feed.craftedsignal.io/briefs/2026-04-imagemagick-dos/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-27664","denial-of-service","xml"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA vulnerability, tracked as CVE-2026-27664, exists within CPCI85 Central Processing/Communication (all versions prior to V26.10) and SICORE Base system (all versions prior to V26.10.0). This flaw stems from an out-of-bounds write during the parsing of maliciously crafted XML inputs. An unauthenticated attacker could exploit this vulnerability by sending a specifically designed XML request to the targeted system. Successful exploitation results in a service crash, effectively creating a denial-of-service (DoS) condition. This vulnerability poses a significant risk to the availability of systems relying on the affected CPCI85 and SICORE Base system components. Defenders should prioritize patching and implement mitigations to prevent potential disruptions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable CPCI85 or SICORE Base system instance exposed to network traffic.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious XML payload designed to trigger the out-of-bounds write vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the malicious XML payload to the targeted system via a network request.\u003c/li\u003e\n\u003cli\u003eThe CPCI85 or SICORE Base system receives the XML payload and attempts to parse it.\u003c/li\u003e\n\u003cli\u003eDuring XML parsing, the vulnerability is triggered due to the specially crafted XML structure, leading to an out-of-bounds write operation.\u003c/li\u003e\n\u003cli\u003eThe out-of-bounds write corrupts memory within the application process.\u003c/li\u003e\n\u003cli\u003eThe memory corruption causes the service to crash.\u003c/li\u003e\n\u003cli\u003eThe crash results in a denial-of-service condition, rendering the affected system unavailable.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-27664 leads to a denial-of-service condition on the affected CPCI85 Central Processing/Communication and SICORE Base systems. The number of potential victims depends on the deployment scope of these systems; however, any system using versions prior to V26.10 and V26.10.0, respectively, is vulnerable. This DoS can disrupt critical operations relying on these systems, potentially impacting industrial control processes or other essential services.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security patch provided by Siemens to update CPCI85 Central Processing/Communication to version V26.10 or later, and SICORE Base system to version V26.10.0 or later to remediate CVE-2026-27664 (\u003ca href=\"https://cert-portal.siemens.com/productcert/html/ssa-246443.html)\"\u003ehttps://cert-portal.siemens.com/productcert/html/ssa-246443.html)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation and access control policies to limit exposure of CPCI85 and SICORE Base systems to untrusted networks.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for abnormal XML request patterns targeting the affected systems using a custom rule inspecting \u003ccode\u003ecs-uri-query\u003c/code\u003e for anomalous XML structures.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-26T15:16:34Z","date_published":"2026-03-26T15:16:34Z","id":"/briefs/2026-03-cpc85-xml-dos/","summary":"An unauthenticated attacker can exploit an out-of-bounds write vulnerability in CPCI85 Central Processing/Communication and SICORE Base System by sending a malicious XML request, potentially causing a service crash leading to a denial-of-service condition.","title":"CPCI85 and SICORE Base System XML Out-of-Bounds Write Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-03-cpc85-xml-dos/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["xmldom"],"_cs_severities":["high"],"_cs_tags":["xml","injection","deserialization","vulnerability"],"_cs_type":"advisory","_cs_vendors":["xmldom"],"content_html":"\u003cp\u003eThe xmldom library is susceptible to XML node injection due to a lack of validation when serializing comment nodes. Versions prior to 0.8.13 and versions between 0.9.0 and 0.9.10 are vulnerable. An attacker can inject arbitrary XML nodes into the serialized output by including comment-breaking sequences (e.g., \u003ccode\u003e--\u0026gt;\u003c/code\u003e) in the comment data. This allows them to alter the structure of the XML document. Exploitation involves crafting malicious input that leverages the library\u0026rsquo;s DOM construction and serialization flow. It matters because applications using xmldom to process potentially untrusted XML data could be coerced into generating malicious XML structures. The fix requires an opt-in \u003ccode\u003erequireWellFormed\u003c/code\u003e flag to be enabled when calling \u003ccode\u003eserializeToString()\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn application receives untrusted data intended for use in XML comment content.\u003c/li\u003e\n\u003cli\u003eThe application calls \u003ccode\u003ecreateComment(data)\u003c/code\u003e in xmldom, passing the untrusted data. The library stores the data without proper validation.\u003c/li\u003e\n\u003cli\u003eThe application constructs an XML document, including the comment node created in the previous step.\u003c/li\u003e\n\u003cli\u003eThe application calls \u003ccode\u003eserializeToString()\u003c/code\u003e on the XML document to serialize it.\u003c/li\u003e\n\u003cli\u003eIf the untrusted data contains comment-breaking sequences, such as \u003ccode\u003e--\u0026gt;\u003c/code\u003e, the serializer prematurely terminates the comment.\u003c/li\u003e\n\u003cli\u003eThe serializer injects any subsequent content in the untrusted data as live XML markup.\u003c/li\u003e\n\u003cli\u003eThe application stores, forwards, signs, or hands the serialized XML to another parser.\u003c/li\u003e\n\u003cli\u003eThe downstream consumer trusts the altered XML structure, leading to unintended consequences, such as misconfiguration or security bypass.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to inject arbitrary XML nodes, potentially altering the structure and meaning of generated XML documents. This could lead to misconfiguration, policy bypass, or other security vulnerabilities in applications that rely on the integrity of the XML structure. The vulnerability affects applications that use xmldom to build XML from untrusted input. The number of victims depends on the usage of the vulnerable library and the exposure of applications to untrusted XML data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003e@xmldom/xmldom\u003c/code\u003e version 0.8.13 or 0.9.10 or later to gain access to the fix.\u003c/li\u003e\n\u003cli\u003eAudit all calls to \u003ccode\u003eserializeToString()\u003c/code\u003e and add the \u003ccode\u003e{ requireWellFormed: true }\u003c/code\u003e option when serializing comments containing potentially untrusted data.\u003c/li\u003e\n\u003cli\u003eImplement server-side input validation to sanitize comment data by removing comment-breaking sequences like \u003ccode\u003e--\u0026gt;\u003c/code\u003e before passing it to \u003ccode\u003ecreateComment()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect comment injections.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T12:00:00Z","date_published":"2024-01-26T12:00:00Z","id":"/briefs/2024-01-26-xmldom-injection/","summary":"The xmldom library is vulnerable to XML node injection, allowing attackers to inject arbitrary XML nodes into serialized output by manipulating comment content; this is mitigated by using the `requireWellFormed` option in `serializeToString` after upgrading to version 0.8.13 or 0.9.10.","title":"xmldom XML Node Injection via Comment Serialization","url":"https://feed.craftedsignal.io/briefs/2024-01-26-xmldom-injection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["PhpSpreadsheet"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","xml","phpspreadsheet"],"_cs_type":"advisory","_cs_vendors":["phpoffice"],"content_html":"\u003cp\u003eThe PhpSpreadsheet library is susceptible to a denial-of-service (DoS) vulnerability within its SpreadsheetML XML reader (\u003ccode\u003eReader\\Xml\u003c/code\u003e). This flaw arises because the reader fails to validate the \u003ccode\u003ess:Index\u003c/code\u003e row attribute against the maximum allowed row count (\u003ccode\u003eAddressRange::MAX_ROW = 1,048,576\u003c/code\u003e). By crafting a malicious SpreadsheetML XML file containing an extremely large \u003ccode\u003ess:Index\u003c/code\u003e value (e.g., \u0026ldquo;999999999\u0026rdquo;) on a \u003ccode\u003e\u0026lt;Row\u0026gt;\u003c/code\u003e element, an attacker can inflate the internal \u003ccode\u003ecachedHighestRow\u003c/code\u003e property to approximately 1 billion. Subsequently, any call to \u003ccode\u003egetRowIterator()\u003c/code\u003e without a specified end row will attempt to iterate over this inflated range, leading to CPU exhaustion and ultimately a DoS condition. This issue affects versions of PhpSpreadsheet from 2.0.0 to 5.6.0 and poses a risk to PHP applications that process user-uploaded SpreadsheetML XML files.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious SpreadsheetML XML file (e.g., \u003ccode\u003epoc.xml\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe crafted XML file contains a \u003ccode\u003e\u0026lt;Row\u0026gt;\u003c/code\u003e element with an \u003ccode\u003ess:Index\u003c/code\u003e attribute set to a very large integer (e.g., \u003ccode\u003ess:Index=\u0026quot;999999999\u0026quot;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eA PHP application using PhpSpreadsheet loads the malicious XML file using \u003ccode\u003eIOFactory::createReader('Xml')-\u0026gt;load('poc.xml')\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eloadSpreadsheetFromFile\u003c/code\u003e method in \u003ccode\u003esrc/PhpSpreadsheet/Reader/Xml.php\u003c/code\u003e processes the \u003ccode\u003e\u0026lt;Row\u0026gt;\u003c/code\u003e element, reads the \u003ccode\u003ess:Index\u003c/code\u003e value, and casts it to an integer without validation.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003egetRowDimension()\u003c/code\u003e method in \u003ccode\u003esrc/PhpSpreadsheet/Worksheet.php\u003c/code\u003e is called with the attacker-controlled \u003ccode\u003e$rowID\u003c/code\u003e, inflating the \u003ccode\u003ecachedHighestRow\u003c/code\u003e property.\u003c/li\u003e\n\u003cli\u003eA subsequent call to \u003ccode\u003e$sheet-\u0026gt;getRowIterator()\u003c/code\u003e attempts to iterate from the beginning to the inflated \u003ccode\u003ecachedHighestRow\u003c/code\u003e, triggering excessive CPU consumption.\u003c/li\u003e\n\u003cli\u003eThe server\u0026rsquo;s CPU resources are exhausted, leading to a denial-of-service condition.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability allows attackers to cause a denial-of-service condition on servers running PHP applications that utilize PhpSpreadsheet to process SpreadsheetML XML files. The impact includes:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eCPU exhaustion with a small malicious file (~300 bytes).\u003c/li\u003e\n\u003cli\u003eBlocking PHP worker processes, affecting concurrent users.\u003c/li\u003e\n\u003cli\u003eTriggering PHP \u003ccode\u003emax_execution_time\u003c/code\u003e limits while still consuming resources.\u003c/li\u003e\n\u003cli\u003eApplications are vulnerable without authentication if they allow the processing of uploaded SpreadsheetML files.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement validation for the \u003ccode\u003ess:Index\u003c/code\u003e attribute in \u003ccode\u003esrc/PhpSpreadsheet/Reader/Xml.php\u003c/code\u003e to ensure it does not exceed \u003ccode\u003eAddressRange::MAX_ROW\u003c/code\u003e. Apply this validation to both \u003ccode\u003e\u0026lt;Row\u0026gt;\u003c/code\u003e and \u003ccode\u003e\u0026lt;Cell\u0026gt;\u003c/code\u003e elements. Use the fix from the advisory (\u003ca href=\"https://github.com/advisories/GHSA-84wq-86v6-x5j6\"\u003ehttps://github.com/advisories/GHSA-84wq-86v6-x5j6\u003c/a\u003e) as a reference.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetectSuspiciousPhpSpreadsheetXML\u003c/code\u003e to detect the use of extremely large row indexes in SpreadsheetML files.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests uploading XML files and triggering high CPU usage, correlating with the execution of PhpSpreadsheet.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T18:45:00Z","date_published":"2024-01-09T18:45:00Z","id":"/briefs/2024-01-09-phpspreadsheet-dos/","summary":"PhpSpreadsheet is vulnerable to a denial-of-service attack by crafting a SpreadsheetML XML file with an excessively large row index, which exhausts server CPU resources due to unbounded iteration.","title":"PhpSpreadsheet XML Reader Denial of Service via Unbounded Row Index","url":"https://feed.craftedsignal.io/briefs/2024-01-09-phpspreadsheet-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Xml","version":"https://jsonfeed.org/version/1.1"}