XXE — CraftedSignal Threat Feed

Pachno 1.0.6 XML External Entity Injection Vulnerability

hello@craftedsignal.io — Tue, 14 Apr 2026 12:00:00 +0000

Pachno 1.0.6 is susceptible to an XML External Entity (XXE) injection vulnerability, identified as CVE-2026-40042. This flaw resides in the TextParser helper component, where unsafe XML parsing occurs. An unauthenticated attacker can exploit this vulnerability to read arbitrary files from the server. The attack involves injecting malicious XML entities into various parts of the application, including wiki table syntax, issue descriptions, comments, and wiki articles. The vulnerability is triggered by the use of the simplexml_load_string() function without proper restrictions (LIBXML_NONET), enabling the resolution of external entities. This issue poses a significant risk as it allows unauthorized access to sensitive data stored on the server.

Attack Chain

An unauthenticated attacker identifies a Pachno 1.0.6 instance.
The attacker crafts a malicious XML payload containing an external entity declaration. This payload aims to read a sensitive file on the server, such as /etc/passwd.
The attacker injects the malicious XML payload into a wiki page, issue description, or comment using wiki table syntax or inline tags.
The application’s TextParser helper processes the injected content using simplexml_load_string() without the LIBXML_NONET flag.
The XML parser attempts to resolve the external entity, initiating a request to read the specified file.
The targeted file’s contents are embedded into the XML response due to the XXE vulnerability.
The attacker retrieves the parsed XML response, which now contains the content of the targeted file, thus achieving unauthorized file access.
The attacker can repeat this process to access other sensitive files, potentially gaining critical information about the system and its configuration.

Impact

Successful exploitation of this XXE vulnerability (CVE-2026-40042) in Pachno 1.0.6 allows an unauthenticated attacker to read arbitrary files from the server. The impact can range from exposing sensitive configuration files and application code to potentially gaining access to user credentials or other confidential data. This information could be used for further malicious activities, such as lateral movement within the network or data exfiltration. Given the ease of exploitation and the potential for significant data leakage, this vulnerability represents a critical risk.

Recommendation

Upgrade to a patched version of Pachno that addresses CVE-2026-40042 by implementing proper XML parsing and disabling external entity resolution.
Implement input validation and sanitization to prevent the injection of malicious XML payloads into wiki pages, issue descriptions, and comments.
Monitor web server logs for requests containing XML entity declarations, which may indicate attempted exploitation of this vulnerability. See the provided Sigma rule for guidance.
Block the domains www.vulncheck.com and www.zeroscience.mk at the network level to prevent access to related advisory information, hindering attacker reconnaissance.
Deploy the Sigma rules in this brief to your SIEM and tune for your environment.

OpenEMR XXE Vulnerability (CVE-2026-33913)

hello@craftedsignal.io — Thu, 26 Mar 2026 12:00:00 +0000

OpenEMR, a free and open-source electronic health records and medical practice management application, is vulnerable to an XML External Entity (XXE) injection attack (CVE-2026-33913). This vulnerability affects versions prior to 8.0.0.3. An authenticated user with access to the Carecoordination module can exploit this flaw by uploading a specially crafted CCDA document. The malicious document contains an xi:include tag that references a file on the server (e.g., /etc/passwd), enabling the…

changedetection.io XXE Vulnerability

hello@craftedsignal.io — Tue, 30 Jan 2024 12:00:00 +0000

An XML External Entity (XXE) vulnerability exists in changedetection.io version 0.54.9 and earlier. The vulnerability resides within the xpath_filter() function in changedetectionio/html_tools.py:287. This function creates an XML parser without disabling external entity resolution, external DTD loading, or network-backed entity lookup. An attacker can exploit this by controlling a watched XML/RSS response body and using an XPath include filter. Successful exploitation allows the attacker to read arbitrary local files from the system running changedetection.io, potentially leading to information disclosure. This issue was reported on May 4, 2026 (GHSA-v7cp-2cx9-x793) and assigned CVE-2026-41895.

Attack Chain

Attacker identifies a changedetection.io instance monitoring an XML/RSS feed.
Attacker crafts a malicious XML/RSS response containing an external entity declaration referencing a local file (e.g., /etc/passwd).
Attacker ensures the watched URL returns the malicious XML/RSS content.
The changedetection.io instance fetches the XML/RSS content from the monitored URL.
The application’s stream detection identifies the content as XML/RSS.
The XPath include filter is triggered, invoking the vulnerable xpath_filter() function.
etree.fromstring() parses the untrusted XML bytes, resolving the external entity and reading the referenced local file.
The contents of the local file are exposed in extracted watch output, diff history, or downstream notification channels.

Impact

Successful exploitation of this XXE vulnerability (CVE-2026-41895) can lead to the disclosure of sensitive local files on the server running changedetection.io. The impact includes potential exposure of configuration files, credentials, or other sensitive data, which could be leveraged for further attacks or unauthorized access. While the number of affected installations is unknown, any instance of changedetection.io version 0.54.9 or earlier that monitors attacker-controlled XML/RSS feeds using XPath filters is potentially vulnerable.

Recommendation

Upgrade changedetection.io to a version beyond 0.54.9 to remediate the vulnerability.
Apply the remediation steps suggested by the original report: Harden XML parser construction with resolve_entities=False, load_dtd=False, and no_network=True.
Implement the Sigma rule Detect Changedetection.io XXE Vulnerability Attempt to detect potential XXE attacks against changedetection.io instances by monitoring for suspicious XML parsing events.
Enable webserver logging to activate the rule above (logsource: category: webserver, product: linux).

xmldom XML Injection Vulnerability

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

The @xmldom/xmldom and xmldom packages are vulnerable to XML injection due to the lack of validation when serializing DocumentType node fields. Specifically, the internalSubset, publicId, and systemId fields are serialized verbatim without any escaping or validation. This vulnerability affects @xmldom/xmldom versions prior to 0.8.13 and versions 0.9.0 to 0.9.9, as well as xmldom versions up to 0.6.0. The vulnerability is triggered when these fields are programmatically set to attacker-controlled strings, leading to potential arbitrary markup injection outside the DOCTYPE declaration during serialization using XMLSerializer.serializeToString. This can lead to downstream XML parsers being susceptible to XXE attacks. Defenders should audit serializeToString() call sites and add { requireWellFormed: true } to mitigate this vulnerability.

Attack Chain

The attacker identifies an application using a vulnerable version of @xmldom/xmldom or xmldom.
The attacker finds a code path where they can control the publicId, systemId, or internalSubset properties of a DocumentType node.
The attacker crafts a malicious string containing XML injection payloads (e.g., closing DOCTYPE tags or injecting SYSTEM entities).
The attacker uses programmatic calls to createDocumentType or direct property writes to set the malicious string as the value of the publicId, systemId, or internalSubset field.
The application calls XMLSerializer.serializeToString on the document, without the { requireWellFormed: true } option.
The vulnerable serializer emits a DOCTYPE declaration where the injected malicious string is included verbatim, causing the DOCTYPE declaration to be terminated early or to include injected entities.
The serialized XML is passed to a downstream XML parser that performs entity expansion.
The downstream XML parser expands the injected entities, leading to potential XXE attacks, information disclosure, or other malicious actions.

Impact

Successful exploitation of this vulnerability can lead to the injection of arbitrary XML markup, potentially enabling XXE attacks against downstream XML parsers. The impact includes potential information disclosure, arbitrary code execution, or denial-of-service if the downstream parser expands external entities. This vulnerability impacts applications using vulnerable versions of @xmldom/xmldom and xmldom that construct DocumentType nodes from user-controlled data and serialize the document without proper validation.

Recommendation

Upgrade to @xmldom/xmldom version 0.8.13 or later, or version 0.9.10 or later, to receive the fix.
Upgrade to a version of xmldom greater than 0.6.0.
Audit all calls to XMLSerializer.serializeToString() and add the option { requireWellFormed: true } to enforce validation of DocumentType node fields, as described in the advisory.
Applications that pass untrusted data to createDocumentType() or write untrusted values directly to a DocumentType node’s publicId, systemId, or internalSubset properties should audit all serializeToString() call sites and add the option.