{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/xxe/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-40042"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["xxe","cve-2026-40042","pachno","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ePachno 1.0.6 is susceptible to an XML External Entity (XXE) injection vulnerability, identified as CVE-2026-40042. This flaw resides in the TextParser helper component, where unsafe XML parsing occurs. An unauthenticated attacker can exploit this vulnerability to read arbitrary files from the server. The attack involves injecting malicious XML entities into various parts of the application, including wiki table syntax, issue descriptions, comments, and wiki articles. The vulnerability is triggered by the use of the simplexml_load_string() function without proper restrictions (LIBXML_NONET), enabling the resolution of external entities. This issue poses a significant risk as it allows unauthorized access to sensitive data stored on the server.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a Pachno 1.0.6 instance.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious XML payload containing an external entity declaration. This payload aims to read a sensitive file on the server, such as \u003ccode\u003e/etc/passwd\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker injects the malicious XML payload into a wiki page, issue description, or comment using wiki table syntax or inline tags.\u003c/li\u003e\n\u003cli\u003eThe application\u0026rsquo;s TextParser helper processes the injected content using simplexml_load_string() without the LIBXML_NONET flag.\u003c/li\u003e\n\u003cli\u003eThe XML parser attempts to resolve the external entity, initiating a request to read the specified file.\u003c/li\u003e\n\u003cli\u003eThe targeted file\u0026rsquo;s contents are embedded into the XML response due to the XXE vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the parsed XML response, which now contains the content of the targeted file, thus achieving unauthorized file access.\u003c/li\u003e\n\u003cli\u003eThe attacker can repeat this process to access other sensitive files, potentially gaining critical information about the system and its configuration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this XXE vulnerability (CVE-2026-40042) in Pachno 1.0.6 allows an unauthenticated attacker to read arbitrary files from the server. The impact can range from exposing sensitive configuration files and application code to potentially gaining access to user credentials or other confidential data. This information could be used for further malicious activities, such as lateral movement within the network or data exfiltration. Given the ease of exploitation and the potential for significant data leakage, this vulnerability represents a critical risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of Pachno that addresses CVE-2026-40042 by implementing proper XML parsing and disabling external entity resolution.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization to prevent the injection of malicious XML payloads into wiki pages, issue descriptions, and comments.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests containing XML entity declarations, which may indicate attempted exploitation of this vulnerability. See the provided Sigma rule for guidance.\u003c/li\u003e\n\u003cli\u003eBlock the domains \u003ccode\u003ewww.vulncheck.com\u003c/code\u003e and \u003ccode\u003ewww.zeroscience.mk\u003c/code\u003e at the network level to prevent access to related advisory information, hindering attacker reconnaissance.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-14T12:00:00Z","date_published":"2026-04-14T12:00:00Z","id":"/briefs/2026-04-pachno-xxe/","summary":"Pachno 1.0.6 is vulnerable to XML external entity injection, allowing unauthenticated attackers to read arbitrary files by injecting malicious XML entities into wiki content due to unsafe XML parsing in the TextParser helper.","title":"Pachno 1.0.6 XML External Entity Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-pachno-xxe/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-33913","xxe","openemr","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpenEMR, a free and open-source electronic health records and medical practice management application, is vulnerable to an XML External Entity (XXE) injection attack (CVE-2026-33913). This vulnerability affects versions prior to 8.0.0.3. An authenticated user with access to the Carecoordination module can exploit this flaw by uploading a specially crafted CCDA document. The malicious document contains an \u003ccode\u003exi:include\u003c/code\u003e tag that references a file on the server (e.g., \u003ccode\u003e/etc/passwd\u003c/code\u003e), enabling the…\u003c/p\u003e\n","date_modified":"2026-03-26T12:00:00Z","date_published":"2026-03-26T12:00:00Z","id":"/briefs/2026-03-openemr-xxe/","summary":"OpenEMR before version 8.0.0.3 is vulnerable to XML External Entity (XXE) injection, allowing an authenticated user with access to the Carecoordination module to upload a crafted CCDA document and read arbitrary files from the server.","title":"OpenEMR XXE Vulnerability (CVE-2026-33913)","url":"https://feed.craftedsignal.io/briefs/2026-03-openemr-xxe/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["changedetection.io (\u003c= 0.54.9)"],"_cs_severities":["high"],"_cs_tags":["XXE","vulnerability","changedetection.io"],"_cs_type":"advisory","_cs_vendors":["changedetection.io"],"content_html":"\u003cp\u003eAn XML External Entity (XXE) vulnerability exists in changedetection.io version 0.54.9 and earlier. The vulnerability resides within the \u003ccode\u003expath_filter()\u003c/code\u003e function in \u003ccode\u003echangedetectionio/html_tools.py:287\u003c/code\u003e. This function creates an XML parser without disabling external entity resolution, external DTD loading, or network-backed entity lookup. An attacker can exploit this by controlling a watched XML/RSS response body and using an XPath include filter. Successful exploitation allows the attacker to read arbitrary local files from the system running changedetection.io, potentially leading to information disclosure. This issue was reported on May 4, 2026 (GHSA-v7cp-2cx9-x793) and assigned CVE-2026-41895.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a changedetection.io instance monitoring an XML/RSS feed.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious XML/RSS response containing an external entity declaration referencing a local file (e.g., \u003ccode\u003e/etc/passwd\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAttacker ensures the watched URL returns the malicious XML/RSS content.\u003c/li\u003e\n\u003cli\u003eThe changedetection.io instance fetches the XML/RSS content from the monitored URL.\u003c/li\u003e\n\u003cli\u003eThe application\u0026rsquo;s stream detection identifies the content as XML/RSS.\u003c/li\u003e\n\u003cli\u003eThe XPath include filter is triggered, invoking the vulnerable \u003ccode\u003expath_filter()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eetree.fromstring()\u003c/code\u003e parses the untrusted XML bytes, resolving the external entity and reading the referenced local file.\u003c/li\u003e\n\u003cli\u003eThe contents of the local file are exposed in extracted watch output, diff history, or downstream notification channels.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this XXE vulnerability (CVE-2026-41895) can lead to the disclosure of sensitive local files on the server running changedetection.io. The impact includes potential exposure of configuration files, credentials, or other sensitive data, which could be leveraged for further attacks or unauthorized access. While the number of affected installations is unknown, any instance of changedetection.io version 0.54.9 or earlier that monitors attacker-controlled XML/RSS feeds using XPath filters is potentially vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade changedetection.io to a version beyond 0.54.9 to remediate the vulnerability.\u003c/li\u003e\n\u003cli\u003eApply the remediation steps suggested by the original report: Harden XML parser construction with \u003ccode\u003eresolve_entities=False\u003c/code\u003e, \u003ccode\u003eload_dtd=False\u003c/code\u003e, and \u003ccode\u003eno_network=True\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect Changedetection.io XXE Vulnerability Attempt\u003c/code\u003e to detect potential XXE attacks against changedetection.io instances by monitoring for suspicious XML parsing events.\u003c/li\u003e\n\u003cli\u003eEnable webserver logging to activate the rule above (logsource: category: webserver, product: linux).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"/briefs/2024-01-changedetectionio-xxe/","summary":"A vulnerability in changedetection.io versions 0.54.9 and earlier allows a remote attacker to perform XML External Entity (XXE) attacks, potentially exposing sensitive local files.","title":"changedetection.io XXE Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-changedetectionio-xxe/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["@xmldom/xmldom","xmldom"],"_cs_severities":["high"],"_cs_tags":["xml-injection","xxe","dom","xmldom"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003eThe \u003ccode\u003e@xmldom/xmldom\u003c/code\u003e and \u003ccode\u003exmldom\u003c/code\u003e packages are vulnerable to XML injection due to the lack of validation when serializing \u003ccode\u003eDocumentType\u003c/code\u003e node fields. Specifically, the \u003ccode\u003einternalSubset\u003c/code\u003e, \u003ccode\u003epublicId\u003c/code\u003e, and \u003ccode\u003esystemId\u003c/code\u003e fields are serialized verbatim without any escaping or validation. This vulnerability affects \u003ccode\u003e@xmldom/xmldom\u003c/code\u003e versions prior to 0.8.13 and versions 0.9.0 to 0.9.9, as well as \u003ccode\u003exmldom\u003c/code\u003e versions up to 0.6.0. The vulnerability is triggered when these fields are programmatically set to attacker-controlled strings, leading to potential arbitrary markup injection outside the DOCTYPE declaration during serialization using \u003ccode\u003eXMLSerializer.serializeToString\u003c/code\u003e. This can lead to downstream XML parsers being susceptible to XXE attacks. Defenders should audit serializeToString() call sites and add \u003ccode\u003e{ requireWellFormed: true }\u003c/code\u003e to mitigate this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an application using a vulnerable version of \u003ccode\u003e@xmldom/xmldom\u003c/code\u003e or \u003ccode\u003exmldom\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker finds a code path where they can control the \u003ccode\u003epublicId\u003c/code\u003e, \u003ccode\u003esystemId\u003c/code\u003e, or \u003ccode\u003einternalSubset\u003c/code\u003e properties of a \u003ccode\u003eDocumentType\u003c/code\u003e node.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious string containing XML injection payloads (e.g., closing DOCTYPE tags or injecting SYSTEM entities).\u003c/li\u003e\n\u003cli\u003eThe attacker uses programmatic calls to \u003ccode\u003ecreateDocumentType\u003c/code\u003e or direct property writes to set the malicious string as the value of the \u003ccode\u003epublicId\u003c/code\u003e, \u003ccode\u003esystemId\u003c/code\u003e, or \u003ccode\u003einternalSubset\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eThe application calls \u003ccode\u003eXMLSerializer.serializeToString\u003c/code\u003e on the document, without the \u003ccode\u003e{ requireWellFormed: true }\u003c/code\u003e option.\u003c/li\u003e\n\u003cli\u003eThe vulnerable serializer emits a DOCTYPE declaration where the injected malicious string is included verbatim, causing the DOCTYPE declaration to be terminated early or to include injected entities.\u003c/li\u003e\n\u003cli\u003eThe serialized XML is passed to a downstream XML parser that performs entity expansion.\u003c/li\u003e\n\u003cli\u003eThe downstream XML parser expands the injected entities, leading to potential XXE attacks, information disclosure, or other malicious actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to the injection of arbitrary XML markup, potentially enabling XXE attacks against downstream XML parsers. The impact includes potential information disclosure, arbitrary code execution, or denial-of-service if the downstream parser expands external entities. This vulnerability impacts applications using vulnerable versions of \u003ccode\u003e@xmldom/xmldom\u003c/code\u003e and \u003ccode\u003exmldom\u003c/code\u003e that construct \u003ccode\u003eDocumentType\u003c/code\u003e nodes from user-controlled data and serialize the document without proper validation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003e@xmldom/xmldom\u003c/code\u003e version 0.8.13 or later, or version 0.9.10 or later, to receive the fix.\u003c/li\u003e\n\u003cli\u003eUpgrade to a version of \u003ccode\u003exmldom\u003c/code\u003e greater than 0.6.0.\u003c/li\u003e\n\u003cli\u003eAudit all calls to \u003ccode\u003eXMLSerializer.serializeToString()\u003c/code\u003e and add the option \u003ccode\u003e{ requireWellFormed: true }\u003c/code\u003e to enforce validation of \u003ccode\u003eDocumentType\u003c/code\u003e node fields, as described in the advisory.\u003c/li\u003e\n\u003cli\u003eApplications that pass untrusted data to \u003ccode\u003ecreateDocumentType()\u003c/code\u003e or write untrusted values directly to a \u003ccode\u003eDocumentType\u003c/code\u003e node\u0026rsquo;s \u003ccode\u003epublicId\u003c/code\u003e, \u003ccode\u003esystemId\u003c/code\u003e, or \u003ccode\u003einternalSubset\u003c/code\u003e properties should audit all \u003ccode\u003eserializeToString()\u003c/code\u003e call sites and add the option.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-xmldom-xml-injection/","summary":"The xmldom package is vulnerable to XML injection. The package serializes DocumentType node fields (internalSubset, publicId, systemId) verbatim without any escaping or validation. When these fields are set programmatically to attacker-controlled strings, XMLSerializer.serializeToString can produce output where the DOCTYPE declaration is terminated early and arbitrary markup appears outside it. To address this applications that pass untrusted data to createDocumentType() or write untrusted values directly to a DocumentType node's publicId, systemId, or internalSubset properties should audit all serializeToString() call sites and add the option.","title":"xmldom XML Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-xmldom-xml-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — XXE","version":"https://jsonfeed.org/version/1.1"}