6 matches found
CVE-2026-43928
FOSSBilling PayPalEmail integration before 0.8.0 credits mc_gross from IPN without validating against the invoice total, combined with a $0.05 epsilon in the credit logic, enabling underpayment of up to $0.04 while marking invoices as paid. Version 0.8.0 patches the issue. No public workaround ex...
XML External Entity (XXE) Injection
peppolpy is vulnerable to XML External Entity XXE injection. The vulnerability is due to insecure Saxon XML parser configuration, where external entities are allowed during XML invoice validation, enabling attackers to read local files and exfiltrate their contents to a remote host...
GHSA-24HM-WM2H-H8W7 Peppol-py is vulnerable to XXE attacks due to Saxon configuration
Peppol-py before 1.1.1 allows XXE attacks because of the Saxon configuration. When validating XML-based invoices, the XML parser could read files from the filesystem and expose their content to a remote host...
PT-2025-48313
Name of the Vulnerable Software and Affected Versions Peppol-py versions prior to 1.1.1 Description Peppol-py before version 1.1.1 contains a flaw due to the Saxon configuration that allows for XML External Entity XXE attacks. When processing XML-based invoices, the XML parser is susceptible to...
CVE-2025-66371
Peppol-py before 1.1.1 allows XXE attacks because of the Saxon configuration. When validating XML-based invoices, the XML parser could read files from the filesystem and expose their content to a remote host...
EUVD-2025-199852
Peppol-py before 1.1.1 allows XXE attacks because of the Saxon configuration. When validating XML-based invoices, the XML parser could read files from the filesystem and expose their content to a remote host...