EUVD-2025-29373

Malicious code in bioql PyPI...

Arbitrary File Upload

xml2rfc is vulnerable to Arbitrary File Upload. The vulnerability is due to improper input sanitization because an attacker can inject a malicious element into the XML used to generate the PDF, causing the generator to read and include arbitrary filesystem files...

Directory Traversal

Overview xml2rfc is a Xml2rfc generates RFCs and IETF drafts from document source in XML according to the IETF xml2rfc v2 and v3 vocabularies. Affected versions of this package are vulnerable to Directory Traversal via the processing of link elements with rel="attachment" in prepped RFCXML files...

xml2rfc is vulnerable to arbitrary file reads through prepped files

Impact When generating PDF files, this vulnerability allows an attacker to read arbitrary files from the filesystem by injecting malicious link element into the prepped RFCXML. Workarounds Test untrusted input with link elements with rel="attachment" before processing. References This is related ...

GHSA-CFMV-H8FX-85M7 xml2rfc has an arbitrary file read vulnerability

Impact When generating PDF files, this vulnerability allows an attacker to read arbitrary files from the filesystem by injecting malicious link element into the XML. Workarounds Test untrusted input with link elements with rel="attachment" before processing. Credits This vulnerability was reporte...

xml2rfc has an arbitrary file read vulnerability

Impact When generating PDF files, this vulnerability allows an attacker to read arbitrary files from the filesystem by injecting malicious link element into the XML. Workarounds Test untrusted input with link elements with rel="attachment" before processing. Credits This vulnerability was reporte...

Directory Traversal

Overview xml2rfc is a Xml2rfc generates RFCs and IETF drafts from document source in XML according to the IETF xml2rfc v2 and v3 vocabularies. Affected versions of this package are vulnerable to Directory Traversal via the PDF generation process. An attacker can access arbitrary files on the...

XML External Entity (XXE)

xml2rfc is vulnerable to XML External Entity XXE. The vulnerability is due to improper enforcement of the --allow-local-file-access flag, allowing XML entity references to access local files within the source directory, leading to potential information disclosure...

GHSA-432C-WXPG-M4Q3 xml2rfc has file inclusion irregularities

Version 3.12.0 changed xml2rfc so that it would not access local files without the presence of its new --allow-local-file-access flag. This prevented XML External Entity XXE injection attacks with xinclude and XML entity references. It was discovered that xml2rfc does not respect...

xml2rfc has file inclusion irregularities

Version 3.12.0 changed xml2rfc so that it would not access local files without the presence of its new --allow-local-file-access flag. This prevented XML External Entity XXE injection attacks with xinclude and XML entity references. It was discovered that xml2rfc does not respect...

Directory Traversal

Overview xml2rfc is a Xml2rfc generates RFCs and IETF drafts from document source in XML according to the IETF xml2rfc v2 and v3 vocabularies. Affected versions of this package are vulnerable to Directory Traversal through the src attribute in artwork or sourcecode elements due to improper...

PT-2025-6020 · Xml2Rfc · Xml2Rfc

Name of the Vulnerable Software and Affected Versions: xml2rfc versions 3.12.0 through 3.26.0 Description: The issue concerns XML External Entity XXE injection attacks. It was discovered that xml2rfc does not respect the --allow-local-file-access flag when a local file is specified as src in...

Cross-site Scripting (XSS)

xml2rfc is vulnerable to cross-site scripting. The vulnerability exists in the validate function in base.py due to lack of input validation which allows an attacker to inject and craft svg images embedded with malicious scripts...

SVG with embedded scripts can lead to cross-site scripting attacks in xml2rfc

xml2rfc allows script elements in SVG sources. In HTML output having these script elements can lead to XSS attacks. Sample XML snippet: Impact This vulnerability impacts website that publish HTML drafts and RFCs. Patches This has been fixed in version 3.12.4. Workarounds If SVG source is...