CVE-2026-6653 libxml2: Use after free in xmlParseInternalSubset via improper entity resolution handling

Use After Free in libxml2's xmlParseInternalSubset from GNOME libxml2 version 2.9.11 to 2.11.0 allows a remote attacker to cause a denial-of-service via maliciously crafted XML input with improper entity resolution handling...

CVE-2026-6653

CVE-2026-6653 affects GNOME libxml2’s libxml2 library, specifically xmlParseInternalSubset. The vulnerability is a Use-After-Free in xmlParseInternalSubset in libxml2 versions 2.9.11 through 2.11.0, caused by improper entity resolution handling. The issue enables a remote attacker to trigger a de...

CVE-2026-6653

Use After Free in libxml2's xmlParseInternalSubset from GNOME libxml2 version 2.9.11 to 2.11.0 allows a remote attacker to cause a denial-of-service via maliciously crafted XML input with improper entity resolution handling...

CVE-2025-58175

GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.26.4 and 2.27.3, a GeoServer that uses ENTITYRESOLUTIONALLOWLIST may allow attacker to perform unauthenticated Server-Side Request Forgery SSRF. This vulnerability requires that GeoServer i...

CVE-2025-58175

CVE-2025-58175 affects GeoServer prior to 2.26.4 and 2.27.3. When GeoServer is configured to use a proxy base URL and ENTITY_RESOLUTION_ALLOWLIST, an unauthenticated Server-Side Request Forgery (SSRF) can be triggered. The issue only affects installations where the proxy base URL lacks a URL path...

GHSA-X4R9-GMW3-HXWW GeoServer has a Server-Side Request Forgery (SSRF) Vulnerability in its XML Entity Resolution

Summary A GeoServer that uses ENTITYRESOLUTIONALLOWLIST may allow attacker to perform unauthenticated Server-Side Request Forgery SSRF. Details This vulnerability requires that GeoServer is set up to use a proxy base URL and the ENTITYRESOLUTIONALLOWLIST default since 2.25.0: Impact This...

GeoServer has a Server-Side Request Forgery (SSRF) Vulnerability in its XML Entity Resolution

Summary A GeoServer that uses ENTITYRESOLUTIONALLOWLIST may allow attacker to perform unauthenticated Server-Side Request Forgery SSRF. Details This vulnerability requires that GeoServer is set up to use a proxy base URL and the ENTITYRESOLUTIONALLOWLIST default since 2.25.0: Impact This...

CVE-2026-49875

Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening configurations, enabling out-of-band OOB external entity resolution. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue...

CVE-2026-49875 Apache CXF: XML External Entity (XXE) Injection in W3CMultiSchemaFactory and EndpointReferenceUtils

Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening configurations, enabling out-of-band OOB external entity resolution. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue...

EUVD-2026-36394

Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening configurations, enabling out-of-band OOB external entity resolution. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue...

CVE-2026-49875

Apache CXF is affected by an XML External Entity (XXE) issue described as CVE-2026-49875. The vulnerability arises because EndpointReferenceUtils and W3CMultiSchemaFactory construct a SAXParserFactory without proper JAXP hardening, enabling out-of-band (OOB) external entity resolution. Affected c...

PT-2026-49054

Name of the Vulnerable Software and Affected Versions GeoServer versions prior to 2.26.4 GeoServer versions prior to 2.27.3 Description GeoServer allows unauthenticated Server-Side Request Forgery SSRF, a condition where an attacker can cause the server to make requests to an unintended location...

PT-2026-48844

Name of the Vulnerable Software and Affected Versions Apache CXF versions prior to 4.2.2 Apache CXF versions prior to 4.1.7 Description The EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the required JAXP hardening configurations. This allows for...

CVE-2024-8010

The component accepts XML input through the publisher without disabling external entity resolution. This allows malicious actors to submit a crafted XML payload that exploits the unescaped external entity references. By leveraging this vulnerability, a malicious actor can read confidential files...

CVE-2026-46722

The OOXML parsing of the file indexer does not disable external entity resolution. A crafted xlsx or pptx document placed in an indexed directory can cause local files to be read or outbound HTTP requests to be performed, with the retrieved content being written to the search index...

Cross-Vendor Sola ISPM Benchmark: Evaluating Agentic AI for Federated Identity Security Reasoning

The rapid proliferation of multi-cloud and SaaS platforms has transformed Identity Security Posture Management ISPM into a fundamentally cross-vendor challenge: critical misconfigurations and privilege escalation paths increasingly span multiple identity providers, infrastructure layers, and...

CVE-2026-2253

Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.7 and 11.0.0.0, including 9.3.x and 8.3.x, does not prevent certain XML parsers from resolving external entities...

PT-2026-43483

Name of the Vulnerable Software and Affected Versions Hitachi Vantara Pentaho Data Integration & Analytics versions prior to 10.2.0.7 Hitachi Vantara Pentaho Data Integration & Analytics versions prior to 11.0.0.0 Description Certain XML parsers do not prevent the resolution of external entities...

CVE-2026-46722

The OOXML parsing of the file indexer does not disable external entity resolution. A crafted xlsx or pptx document placed in an indexed directory can cause local files to be read or outbound HTTP requests to be performed, with the retrieved content being written to the search index...

CVE-2026-46722

The OOXML parsing of the file indexer does not disable external entity resolution. A crafted xlsx or pptx document placed in an indexed directory can cause local files to be read or outbound HTTP requests to be performed, with the retrieved content being written to the search index...