CWE-91
XML Injection (aka Blind XPath Injection)
The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.
CVE-2026-41674 (GCVE-0-2026-41674)
Vulnerability from cvelistv5 – Published: 2026-05-07 03:47 – Updated: 2026-06-30 12:08- CWE-91 - XML Injection (aka Blind XPath Injection)
| URL | Tags |
|---|---|
| https://github.com/xmldom/xmldom/security/advisor… | x_refsource_CONFIRM |
| https://github.com/xmldom/xmldom/commit/372008f9a… | x_refsource_MISC |
| https://github.com/xmldom/xmldom/releases/tag/0.8.13 | x_refsource_MISC |
| https://github.com/xmldom/xmldom/releases/tag/0.9.10 | x_refsource_MISC |
| https://access.redhat.com/security/cve/CVE-2026-41674 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2467620 | issue-trackingx_refsource_REDHAT |
| https://security.access.redhat.com/data/csaf/v2/v… | x_sadp-csaf-vex |
| https://access.redhat.com/errata/RHSA-2026:21338 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:26234 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:21703 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:20034 | vendor-advisoryx_refsource_REDHAT |
| Vendor | Product | Version | |
|---|---|---|---|
| xmldom | xmldom |
Affected:
xmldom <= 0.6.0
Affected: @xmldom/xmldom >= 0.9.0, < 0.9.10 Affected: @xmldom/xmldom < 0.8.13 |
|
| Red Hat | Red Hat Developer Hub 1.8 |
cpe:/a:redhat:rhdh:1.8::el9 |
|
| Red Hat | Red Hat Developer Hub 1.9 |
cpe:/a:redhat:rhdh:1.9::el9 |
|
| Red Hat | Red Hat OpenShift Container Platform 4.20 |
cpe:/a:redhat:openshift:4.20::el9 |
|
| Red Hat | Red Hat OpenShift Container Platform 4.21 |
cpe:/a:redhat:openshift:4.21::el9 |
|
| Red Hat | Red Hat Build of Podman Desktop |
cpe:/a:redhat:podman_desktop:1 |
|
| Red Hat | Red Hat Fuse 7 |
cpe:/a:redhat:jboss_fuse:7 |
|
| Red Hat | Self-service automation portal 2 |
cpe:/a:redhat:ansible_portal:2 |
|
| Red Hat | Red Hat OpenShift AI (RHOAI) |
cpe:/a:redhat:openshift_ai |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41674",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-07T12:35:22.818916Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T12:35:39.361Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-f6ww-3ggp-fr8h"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:rhdh:1.8::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Developer Hub 1.8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhdh:1.9::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Developer Hub 1.9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.20::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.20",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4.21::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4.21",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:podman_desktop:1"
],
"defaultStatus": "affected",
"product": "Red Hat Build of Podman Desktop",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:jboss_fuse:7"
],
"defaultStatus": "affected",
"product": "Red Hat Fuse 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ansible_portal:2"
],
"defaultStatus": "affected",
"product": "Self-service automation portal 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai"
],
"defaultStatus": "unaffected",
"product": "Red Hat OpenShift AI (RHOAI)",
"vendor": "Red Hat"
}
],
"datePublic": "2026-05-07T03:47:51.140Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in xmldom and @xmldom/xmldom, a JavaScript library for parsing and serializing XML. This vulnerability allows an attacker to inject arbitrary XML markup into a document due to improper handling of DocumentType node fields during serialization. By crafting malicious input, an attacker can cause the XML serializer to prematurely terminate the DOCTYPE declaration, enabling the insertion of unauthorized content. This could lead to information disclosure or, in certain configurations, the execution of arbitrary code."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-91",
"description": "XML Injection (aka Blind XPath Injection)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:08:46.303Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-41674"
},
{
"name": "RHBZ#2467620",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2467620"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-41674.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:21338"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26234"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:21703"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:20034"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:21338: Red Hat Developer Hub 1.8"
},
{
"lang": "en",
"value": "RHSA-2026:26234: Red Hat Developer Hub 1.9"
},
{
"lang": "en",
"value": "RHSA-2026:21703: Red Hat OpenShift Container Platform 4.20"
},
{
"lang": "en",
"value": "RHSA-2026:20034: Red Hat OpenShift Container Platform 4.21"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-07T05:01:25.803Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-07T03:47:51.140Z",
"value": "Made public."
}
],
"title": "xmldom: xmldom: Arbitrary XML markup injection",
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"product": "xmldom",
"vendor": "xmldom",
"versions": [
{
"status": "affected",
"version": "xmldom \u003c= 0.6.0"
},
{
"status": "affected",
"version": "@xmldom/xmldom \u003e= 0.9.0, \u003c 0.9.10"
},
{
"status": "affected",
"version": "@xmldom/xmldom \u003c 0.8.13"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package serializes DocumentType node fields (internalSubset, publicId, systemId) verbatim without any escaping or validation. When these fields are set programmatically to attacker-controlled strings, XMLSerializer.serializeToString can produce output where the DOCTYPE declaration is terminated early and arbitrary markup appears outside it. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-91",
"description": "CWE-91: XML Injection (aka Blind XPath Injection)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T03:47:51.140Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xmldom/xmldom/security/advisories/GHSA-f6ww-3ggp-fr8h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-f6ww-3ggp-fr8h"
},
{
"name": "https://github.com/xmldom/xmldom/commit/372008f9ae0e20fd69f761c7b79e202598267314",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xmldom/xmldom/commit/372008f9ae0e20fd69f761c7b79e202598267314"
},
{
"name": "https://github.com/xmldom/xmldom/releases/tag/0.8.13",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xmldom/xmldom/releases/tag/0.8.13"
},
{
"name": "https://github.com/xmldom/xmldom/releases/tag/0.9.10",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xmldom/xmldom/releases/tag/0.9.10"
}
],
"source": {
"advisory": "GHSA-f6ww-3ggp-fr8h",
"discovery": "UNKNOWN"
},
"title": "xmldom: XML injection through unvalidated DocumentType serialization"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41674",
"datePublished": "2026-05-07T03:47:51.140Z",
"dateReserved": "2026-04-22T03:53:24.405Z",
"dateUpdated": "2026-06-30T12:08:46.303Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41675 (GCVE-0-2026-41675)
Vulnerability from cvelistv5 – Published: 2026-05-07 03:49 – Updated: 2026-07-06 12:05- CWE-91 - XML Injection (aka Blind XPath Injection)
| URL | Tags |
|---|---|
| https://github.com/xmldom/xmldom/security/advisor… | x_refsource_CONFIRM |
| https://github.com/xmldom/xmldom/commit/7207a4b0e… | x_refsource_MISC |
| https://github.com/xmldom/xmldom/releases/tag/0.8.13 | x_refsource_MISC |
| https://github.com/xmldom/xmldom/releases/tag/0.9.10 | x_refsource_MISC |
| https://access.redhat.com/security/cve/CVE-2026-41675 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2467629 | issue-trackingx_refsource_REDHAT |
| https://security.access.redhat.com/data/csaf/v2/v… | x_sadp-csaf-vex |
| https://access.redhat.com/errata/RHSA-2026:26234 | vendor-advisoryx_refsource_REDHAT |
| Vendor | Product | Version | |
|---|---|---|---|
| xmldom | xmldom |
Affected:
xmldom <= 0.6.0
Affected: @xmldom/xmldom >= 0.9.0, < 0.9.10 Affected: @xmldom/xmldom < 0.8.13 |
|
| Red Hat | Red Hat Developer Hub 1.9 |
cpe:/a:redhat:rhdh:1.9::el9 |
|
| Red Hat | Red Hat Build of Podman Desktop |
cpe:/a:redhat:podman_desktop:1 |
|
| Red Hat | Red Hat Fuse 7 |
cpe:/a:redhat:jboss_fuse:7 |
|
| Red Hat | Red Hat OpenShift AI (RHOAI) |
cpe:/a:redhat:openshift_ai |
|
| Red Hat | Red Hat OpenShift Container Platform 4 |
cpe:/a:redhat:openshift:4 |
|
| Red Hat | Self-service automation portal 2 |
cpe:/a:redhat:ansible_portal:2 |
|
| Red Hat | Red Hat Enterprise Linux 8 |
cpe:/o:redhat:enterprise_linux:8 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41675",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-07T13:43:50.798218Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T13:44:35.717Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-x6wf-f3px-wcqx"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:rhdh:1.9::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Developer Hub 1.9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:podman_desktop:1"
],
"defaultStatus": "affected",
"product": "Red Hat Build of Podman Desktop",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:jboss_fuse:7"
],
"defaultStatus": "affected",
"product": "Red Hat Fuse 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift AI (RHOAI)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ansible_portal:2"
],
"defaultStatus": "affected",
"product": "Self-service automation portal 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
}
],
"datePublic": "2026-05-07T03:49:34.056Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in xmldom. A remote attacker can exploit this vulnerability by providing specially crafted processing instruction data. Due to improper validation of the processing instruction closing sequence, the attacker can terminate the instruction prematurely and inject arbitrary XML nodes into the serialized output. This can lead to data manipulation and integrity issues within applications that process the affected XML."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-91",
"description": "XML Injection (aka Blind XPath Injection)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T12:05:02.235Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-41675"
},
{
"name": "RHBZ#2467629",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2467629"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-41675.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26234"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:26234: Red Hat Developer Hub 1.9"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-07T05:01:58.399Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-07T03:49:34.056Z",
"value": "Made public."
}
],
"title": "xmldom: xmldom: Arbitrary XML node injection via crafted processing instructions",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"product": "xmldom",
"vendor": "xmldom",
"versions": [
{
"status": "affected",
"version": "xmldom \u003c= 0.6.0"
},
{
"status": "affected",
"version": "@xmldom/xmldom \u003e= 0.9.0, \u003c 0.9.10"
},
{
"status": "affected",
"version": "@xmldom/xmldom \u003c 0.8.13"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled processing instruction data to be serialized into XML without validating or neutralizing the PI-closing sequence ?\u003e. As a result, an attacker can terminate the processing instruction early and inject arbitrary XML nodes into the serialized output. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-91",
"description": "CWE-91: XML Injection (aka Blind XPath Injection)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T03:49:34.056Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xmldom/xmldom/security/advisories/GHSA-x6wf-f3px-wcqx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-x6wf-f3px-wcqx"
},
{
"name": "https://github.com/xmldom/xmldom/commit/7207a4b0e0bcc228868075ed991665ef9f73b1c2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xmldom/xmldom/commit/7207a4b0e0bcc228868075ed991665ef9f73b1c2"
},
{
"name": "https://github.com/xmldom/xmldom/releases/tag/0.8.13",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xmldom/xmldom/releases/tag/0.8.13"
},
{
"name": "https://github.com/xmldom/xmldom/releases/tag/0.9.10",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xmldom/xmldom/releases/tag/0.9.10"
}
],
"source": {
"advisory": "GHSA-x6wf-f3px-wcqx",
"discovery": "UNKNOWN"
},
"title": "xmldom: XML node injection through unvalidated processing instruction serialization"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41675",
"datePublished": "2026-05-07T03:49:34.056Z",
"dateReserved": "2026-04-22T03:53:24.406Z",
"dateUpdated": "2026-07-06T12:05:02.235Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44664 (GCVE-0-2026-44664)
Vulnerability from cvelistv5 – Published: 2026-05-13 15:27 – Updated: 2026-05-13 16:46- CWE-91 - XML Injection (aka Blind XPath Injection)
| URL | Tags |
|---|---|
| https://github.com/NaturalIntelligence/fast-xml-b… | x_refsource_CONFIRM |
| Vendor | Product | Version | |
|---|---|---|---|
| NaturalIntelligence | fast-xml-builder |
Affected:
1.1.5
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44664",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T16:41:12.773476Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T16:46:25.862Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fast-xml-builder",
"vendor": "NaturalIntelligence",
"versions": [
{
"status": "affected",
"version": "1.1.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "fast-xml-builder builds XML from JSON. In 1.1.5, the fix for CVE-2026-41650 in fast-xml-parser sanitizes -- sequences in XML comment content using .replace(/--/g, \u0027- -\u0027). This skip the values containing three consecutive dashes (e.g., ---\u003e...), allowing an attacker to break out of an XML comment and inject arbitrary XML/HTML content. This vulnerability is fixed in 1.1.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-91",
"description": "CWE-91: XML Injection (aka Blind XPath Injection)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T15:27:34.716Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/NaturalIntelligence/fast-xml-builder/security/advisories/GHSA-45c6-75p6-83cc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/NaturalIntelligence/fast-xml-builder/security/advisories/GHSA-45c6-75p6-83cc"
}
],
"source": {
"advisory": "GHSA-45c6-75p6-83cc",
"discovery": "UNKNOWN"
},
"title": "fast-xml-builder: Comment Value bypass regex"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44664",
"datePublished": "2026-05-13T15:27:34.716Z",
"dateReserved": "2026-05-07T16:20:08.659Z",
"dateUpdated": "2026-05-13T16:46:25.862Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44665 (GCVE-0-2026-44665)
Vulnerability from cvelistv5 – Published: 2026-05-13 15:24 – Updated: 2026-05-18 15:04- CWE-91 - XML Injection (aka Blind XPath Injection)
| URL | Tags |
|---|---|
| https://github.com/NaturalIntelligence/fast-xml-b… | x_refsource_CONFIRM |
| Vendor | Product | Version | |
|---|---|---|---|
| NaturalIntelligence | fast-xml-builder |
Affected:
< 1.1.7
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44665",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-18T15:04:25.555974Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-18T15:04:53.679Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/NaturalIntelligence/fast-xml-builder/security/advisories/GHSA-5wm8-gmm8-39j9"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fast-xml-builder",
"vendor": "NaturalIntelligence",
"versions": [
{
"status": "affected",
"version": "\u003c 1.1.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "fast-xml-builder builds XML from JSON. Prior to 1.1.7, when an input data has quotes in attribute values but process entities is not enabled, it breaks the attribute value into multiple attributes. This gives the room for an attacker to insert unwanted attributes to the XML/HTML. This vulnerability is fixed in 1.1.7."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-91",
"description": "CWE-91: XML Injection (aka Blind XPath Injection)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T15:24:54.596Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/NaturalIntelligence/fast-xml-builder/security/advisories/GHSA-5wm8-gmm8-39j9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/NaturalIntelligence/fast-xml-builder/security/advisories/GHSA-5wm8-gmm8-39j9"
}
],
"source": {
"advisory": "GHSA-5wm8-gmm8-39j9",
"discovery": "UNKNOWN"
},
"title": "fast-xml-builder: Attribute values with unwanted quotes can bypass malicious or unwanted attributes"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44665",
"datePublished": "2026-05-13T15:24:54.596Z",
"dateReserved": "2026-05-07T16:20:08.659Z",
"dateUpdated": "2026-05-18T15:04:53.679Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46490 (GCVE-0-2026-46490)
Vulnerability from cvelistv5 – Published: 2026-06-08 18:41 – Updated: 2026-06-09 15:13- CWE-91 - XML Injection (aka Blind XPath Injection)
| URL | Tags |
|---|---|
| https://github.com/tngan/samlify/security/advisor… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-46490",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T14:51:00.913741Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T15:13:53.540Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/tngan/samlify/security/advisories/GHSA-34r5-q4jw-r36m"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "samlify",
"vendor": "tngan",
"versions": [
{
"status": "affected",
"version": "\u003c 2.13.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "samlify is a Node.js library for SAML single sign-on. Prior to version 2.13.0, samlify\u2019s template substitution only escapes attribute contexts. Values inserted into element text (e.g., \u003csaml:AttributeValue\u003e) are not escaped. A normal user can inject XML markup into an attribute value (e.g., email, name) and add new \u003csaml:Attribute\u003e elements inside the signed assertion. The IdP then signs the tampered assertion and the SP accepts the injected attributes as trusted. This allows privilege escalation when attributes are used for authorization (roles/groups). This issue has been patched in version 2.13.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-91",
"description": "CWE-91: XML Injection (aka Blind XPath Injection)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T18:41:40.145Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/tngan/samlify/security/advisories/GHSA-34r5-q4jw-r36m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/tngan/samlify/security/advisories/GHSA-34r5-q4jw-r36m"
}
],
"source": {
"advisory": "GHSA-34r5-q4jw-r36m",
"discovery": "UNKNOWN"
},
"title": "samlify: XML Injection in AttributeValue Allows Privilege Escalation in Signed SAML Assertions"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-46490",
"datePublished": "2026-06-08T18:41:40.145Z",
"dateReserved": "2026-05-14T18:06:06.811Z",
"dateUpdated": "2026-06-09T15:13:53.540Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-47273 (GCVE-0-2026-47273)
Vulnerability from cvelistv5 – Published: 2026-05-27 20:03 – Updated: 2026-05-28 13:26- CWE-91 - XML Injection (aka Blind XPath Injection)
| URL | Tags |
|---|---|
| https://github.com/mcdope/pam_usb/security/adviso… | x_refsource_CONFIRM |
| https://github.com/mcdope/pam_usb/pull/311 | x_refsource_MISC |
| https://github.com/mcdope/pam_usb/commit/721fed08… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47273",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T13:26:03.390650Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T13:26:13.079Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "pam_usb",
"vendor": "mcdope",
"versions": [
{
"status": "affected",
"version": "\u003c 0.9.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, pam_usb builds XPath expressions from user-supplied identifiers (PAM username, service name) and device-supplied identifiers (USB device serial, model, vendor) to query /etc/pamusb.conf. These identifiers were not validated for XPath metacharacters, allowing injection of arbitrary XPath predicates. This vulnerability is fixed in 0.9.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-91",
"description": "CWE-91: XML Injection (aka Blind XPath Injection)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T20:03:39.297Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mcdope/pam_usb/security/advisories/GHSA-vfj3-5h5v-6g93",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mcdope/pam_usb/security/advisories/GHSA-vfj3-5h5v-6g93"
},
{
"name": "https://github.com/mcdope/pam_usb/pull/311",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mcdope/pam_usb/pull/311"
},
{
"name": "https://github.com/mcdope/pam_usb/commit/721fed08a3596cb5b4671ad702f8fdc12dcc7420",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mcdope/pam_usb/commit/721fed08a3596cb5b4671ad702f8fdc12dcc7420"
}
],
"source": {
"advisory": "GHSA-vfj3-5h5v-6g93",
"discovery": "UNKNOWN"
},
"title": "pam_usb: XPath injection via PAM-supplied identifiers in pam_usb configuration queries"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-47273",
"datePublished": "2026-05-27T20:03:39.297Z",
"dateReserved": "2026-05-18T23:03:37.230Z",
"dateUpdated": "2026-05-28T13:26:13.079Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53723 (GCVE-0-2026-53723)
Vulnerability from cvelistv5 – Published: 2026-06-11 12:42 – Updated: 2026-06-11 16:13| URL | Tags |
|---|---|
| https://github.com/guzzle/guzzle-services/securit… | x_refsource_CONFIRM |
| Vendor | Product | Version | |
|---|---|---|---|
| guzzle | guzzle-services |
Affected:
< 1.5.4
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-53723",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-11T15:57:24.654072Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T16:13:18.490Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "guzzle-services",
"vendor": "guzzle",
"versions": [
{
"status": "affected",
"version": "\u003c 1.5.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Guzzle Services provides an implementation of the Guzzle Command library that uses Guzzle service descriptions to describe web services, serialize requests, and parse responses into easy to use model structures. Versions prior ro 1.5.4 do not safely serialize scalar XML element values containing the CDATA terminator `]]\u003e`. The XML request serializer writes values containing `\u003c`, `\u003e`, or `\u0026` with `XMLWriter::writeCData($value)`. If attacker-controlled input contains `]]\u003e`, the CDATA section closes early and the remainder is interpreted as XML markup. This is an outgoing request-body integrity issue, not a response parsing issue. The attacker does not need to control the service description or schema. Users are affected when all of the following are true: the application uses `guzzlehttp/guzzle-services` to serialize outgoing requests; a request parameter or `additionalParameters` schema uses `location: xml`; the value is serialized as XML element text, not an XML attribute; the value can contain attacker-controlled, user-controlled, tenant-controlled, or otherwise untrusted input; the value is not constrained by a safe `enum`, `pattern`, or custom filter that excludes `]]\u003e`; and the downstream service parses the generated XML structurally and may act on unexpected, duplicated, or injected elements. Applications that serialize untrusted input into `location: xml` request parameters can emit XML containing attacker-controlled elements outside the intended text node. Depending on the receiving service, this can alter operation semantics, smuggle privileged fields, bypass modeled parameter boundaries, or create conflicting duplicated elements. Fixed service descriptions are sufficient if they contain an XML element parameter populated from attacker-controlled input. Users are not directly affected if they only use Guzzle Services to deserialize HTTP response bodies. Response XML parsing uses the response XML location visitor and does not invoke the vulnerable request XML serializer. Response bodies matter only in a second-order flow, such as parsing attacker-controlled response XML, storing or forwarding a parsed string value, and later using it as a `location: xml` request parameter. The issue is patched in `1.5.3` and later by safely splitting embedded CDATA terminators before serialization. The fix preserves the original scalar value as XML text and prevents injected nodes. As a workaround, constrain attacker-controlled XML element values with a strict `enum`, `pattern`, or custom filter that excludes `]]\u003e`, or avoid serializing untrusted data into `location: xml` element text until patched. Where appropriate for the service schema, XML attributes are not affected because they are written with XMLWriter attribute APIs rather than CDATA sections. To determine whether action is needed, search service descriptions for request parameters using `location: xml`, including operation `parameters` and `additionalParameters`. Response-only `models` are not directly affected unless parsed values are reused for request serialization. For object and array parameters, review nested scalar properties because leaf element values can still be affected."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-91",
"description": "CWE-91: XML Injection (aka Blind XPath Injection)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T12:42:42.919Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/guzzle/guzzle-services/security/advisories/GHSA-q8r6-5hfw-5jff",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/guzzle/guzzle-services/security/advisories/GHSA-q8r6-5hfw-5jff"
}
],
"source": {
"advisory": "GHSA-q8r6-5hfw-5jff",
"discovery": "UNKNOWN"
},
"title": "guzzlehttp/guzzle-services\u0027 XML Request Serialization Vulnerable to XML Injection via CDATA Terminator"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-53723",
"datePublished": "2026-06-11T12:42:42.919Z",
"dateReserved": "2026-06-10T16:43:31.242Z",
"dateUpdated": "2026-06-11T16:13:18.490Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55789 (GCVE-0-2026-55789)
Vulnerability from cvelistv5 – Published: 2026-07-10 19:55 – Updated: 2026-07-10 19:55| URL | Tags |
|---|---|
| https://github.com/logto-io/logto/security/adviso… | x_refsource_CONFIRM |
| https://github.com/logto-io/logto/pull/9107 | x_refsource_MISC |
| https://github.com/logto-io/logto/commit/90970548… | x_refsource_MISC |
| https://github.com/logto-io/logto/releases/tag/v1.41.0 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "logto",
"vendor": "logto-io",
"versions": [
{
"status": "affected",
"version": "\u003c 1.41.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, Logto\u0027s self-hosted SAML application IdP built the signed SAML response and assertion by string-substituting user-controlled profile attributes such as name, email, and custom attribute-mapping values into element-text placeholders of a SAML XML template using samlify 2.10.0, which left those placeholders unescaped. An authenticated low-privilege user could place XML markup in a profile attribute so Logto signed a forged SAML attribute, such as an arbitrary role, allowing privilege escalation at relying Service Providers that authorize on SAML attributes. This issue is fixed in version 1.41.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-91",
"description": "CWE-91: XML Injection (aka Blind XPath Injection)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1395",
"description": "CWE-1395: Dependency on Vulnerable Third-Party Component",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T19:55:37.360Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/logto-io/logto/security/advisories/GHSA-vfpw-vq44-4p63",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/logto-io/logto/security/advisories/GHSA-vfpw-vq44-4p63"
},
{
"name": "https://github.com/logto-io/logto/pull/9107",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/logto-io/logto/pull/9107"
},
{
"name": "https://github.com/logto-io/logto/commit/9097054860f0d638d90778d3dcde2ba050b844b6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/logto-io/logto/commit/9097054860f0d638d90778d3dcde2ba050b844b6"
},
{
"name": "https://github.com/logto-io/logto/releases/tag/v1.41.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/logto-io/logto/releases/tag/v1.41.0"
}
],
"source": {
"advisory": "GHSA-vfpw-vq44-4p63",
"discovery": "UNKNOWN"
},
"title": "Logto: SAML IdP injects user-controlled profile attributes raw into signed assertions, allowing privilege escalation at relying Service Providers"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-55789",
"datePublished": "2026-07-10T19:55:37.360Z",
"dateReserved": "2026-06-17T14:40:28.380Z",
"dateUpdated": "2026-07-10T19:55:37.360Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation ID: MIT-5
Phase: Implementation
Strategy: Input Validation
Description:
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
CAPEC-250: XML Injection
An attacker utilizes crafted XML user-controllable input to probe, attack, and inject data into the XML database, using techniques similar to SQL injection. The user-controllable input can allow for unauthorized viewing of data, bypassing authentication or the front-end application for direct XML database access, and possibly altering database information.
CAPEC-83: XPath Injection
An attacker can craft special user-controllable input consisting of XPath expressions to inject the XML database and bypass authentication or glean information that they normally would not be able to. XPath Injection enables an attacker to talk directly to the XML database, thus bypassing the application completely. XPath Injection results from the failure of an application to properly sanitize input used as part of dynamic XPath expressions used to query an XML database.