XMLUnit for Java before 2.10.0, in the default configuration, might allow code execution via an untrusted stylesheet (used for an XSLT transformation), because XSLT extension functions are enabled.

🗓️ 19 Oct 2025 01:01:21Reported by MicrosoftType

mscve

mscve🔗 msrc.microsoft.com👁 4 Views

XMLUnit for Java before 2.10.0 may permit code execution from untrusted XSLT stylesheets with enabled extension functions.

Reporter	Title	Published	Views	Family All 30
IBM Security Bulletins	Security Bulletin: IBM Maximo Application Suite - Monitor Component is vulnerable to xmlunit-core-2.9.1.jar CVE-2024-31573	28 Jan 202522:08	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to XMLUnit for Java arbitrary code execution vulnerability [CVE-2024-31573]	28 Jan 202522:08	–	ibm
IBM Security Bulletins	Security Bulletin: IBM App Connect Enterprise is vulnerable to an attack to execute arbitrary code due to XMLUnit (CVE-2024-31573)	14 Jun 202411:38	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Cloud Pak for Network Automation 2.7.4 addresses multiple security vulnerabilities	15 Apr 202502:42	–	ibm
Tenable Nessus	Amazon Linux 2023 : xmlunit, xmlunit-assertj, xmlunit-core (ALAS2023-2025-1260)	11 Nov 202500:00	–	nessus
Tenable Nessus	Linux Distros Unpatched Vulnerability : CVE-2024-31573	27 Oct 202500:00	–	nessus
Amazon	Important: xmlunit	10 Nov 202500:00	–	amazon
Circl	CVE-2024-31573	21 Apr 202621:00	–	circl
CNNVD	XMLUnit 安全漏洞	17 Oct 202500:00	–	cnnvd
CVE	CVE-2024-31573	17 Oct 202500:00	–	cve

19 Oct 2025 01:01Current

7High risk

Vulners AI Score7

CVSS 3.14

EPSS0.00036

SSVC

XMLUnit Java XSL Transform Extension functions Code execution Untrusted stylesheet