OESA-2026-2433 expat security update

expat is a stream-oriented XML parser library written in C. expat excels with files too large to fit RAM, and where performance and flexibility are crucial. Security Fixes: In libexpat before 2.8.1, the computational complexity of attribute name collision checks allows a denial of service via...

EUVD-2026-31434

Insecure XML parser configuration in Apache CXF's WS-Transfer module may allow attackers to perform XXE attacks. Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue...

CVE-2026-44618 Apache CXF: XXE vulnerability in WS-Transfer functionality

Insecure XML parser configuration in Apache CXF's WS-Transfer module may allow attackers to perform XXE attacks. Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue...

CVE-2026-44618 Apache CXF: XXE vulnerability in WS-Transfer functionality

Insecure XML parser configuration in Apache CXF's WS-Transfer module may allow attackers to perform XXE attacks. Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue...

Security Bulletin: IBM App Connect Enterprise is vulnerable to multiple vulnerabilities due to node module fast-xml-parser

Summary IBM App Connect Enterprise Connector Discovery and OpenAPI Editor, IBM App Connect Enterprise Discovery Connectors and IBM App Connect Enterprise runtime are vulnerable to multiple vulnerabilities due to node module fast-xml-parser Vulnerability Details CVEID:CVE-2026-27942 DESCRIPTION:...

Unity Linux 20.1060e / 20.1070e Security Update: xmlbeans (UTSA-2026-016630)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-016630 advisory. The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user from malicious XML input. Vulnerabilities include...

Unity Linux 20.1060e / 20.1070e Security Update: xerces-c (UTSA-2026-016688)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-016688 advisory. The Apache Xerces-C 3.0.0 to 3.2.3 XML parser contains a use-after-free error triggered during the scanning of external DTDs. This flaw has not been addressed in the...

PT-2026-42754

Insecure XML parser configuration in Apache CXF's WS-Transfer module may allow attackers to perform XXE attacks. Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue...

Apache CXF 安全漏洞

Apache CXF is an open-source web service framework developed by the Apache Foundation in the United States. This framework supports various web service standards and multiple front-end programming APIs. There is a security vulnerability in Apache CXF, which stems from an insecure XML parser...

Unity Linux 20.1060e / 20.1070e Security Update: rubygem-nokogiri (UTSA-2026-016636)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-016636 advisory. Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parse...

[SECURITY] Fedora 43 Update: mingw-expat-2.8.1-1.fc43

This is expat, the C library for parsing XML, written by James Clark. Expat is a stream oriented XML parser. This means that you register handlers with the parser prior to starting the parse. These handlers are called when the parser discovers the associated structures in the document being parse...

[SECURITY] Fedora 44 Update: mingw-expat-2.8.1-1.fc44

This is expat, the C library for parsing XML, written by James Clark. Expat is a stream oriented XML parser. This means that you register handlers with the parser prior to starting the parse. These handlers are called when the parser discovers the associated structures in the document being parse...

Astra Linux - уязвимость в opencv

A issue was discovered in OpenCV prior to version 4.1.1. There is a NULL pointer dereferencing in the function cv::XMLParser::parse, located in modules/core/src/persistence.cpp...

CVE-2026-41650

A flaw was found in fast-xml-parser. The XMLBuilder component does not properly escape specific sequences "--" in comments and "" in CDATA sections when constructing XML from JavaScript objects. This vulnerability allows an attacker to perform XML injection if user-controlled data is processed...

CVE-2024-13971

Unauthenticated attackers can exploit a weakness in the XML parser functionality of Lobsterpro prior to version 4.12.6-GA. This allows them to obtain read access to files on the application server and adjacent network shares, and perform HTTP GET requests to arbitrary services...

CVE-2024-39847

Unauthenticated attackers can exploit a weakness in the XML parser functionality of the SOAP endpoints in 4D server. This allows them to obtain read access to files on the application server and adjacent network shares, and perform HTTP GET requests to arbitrary services...

OESA-2026-2295 expat security update

expat is a stream-oriented XML parser library written in C. expat excels with files too large to fit RAM, and where performance and flexibility are crucial. Security Fixes: libexpat before 2.8.0 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document.CVE-2026-41080...

OESA-2026-2294 expat security update

expat is a stream-oriented XML parser library written in C. expat excels with files too large to fit RAM, and where performance and flexibility are crucial. Security Fixes: libexpat before 2.8.0 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document.CVE-2026-41080...

Low: firefox

Issue Overview: libexpat before 2.7.6 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document. CVE-2026-41080 Affected Packages: firefox Issue Correction: Run dnf update firefox --releasever 2023.11.20260514 or dnf update --advisory ALAS2023-2026-1706 --releasever...

CVE-2026-41895

The CVE-2026-41895 entry concerns changedetection.io and documents an XXE vulnerability in its XML/RSS handling. In version 0.54.9 and earlier, xpath_filter() switches to XML mode and constructs etree.XMLParser(strip_cdata=False) without explicitly disabling external entity resolution, external D...