FKIE_CVE-2026-3511

Vulnerability from fkie_nvd - Published: 2026-03-19 12:16 - Updated: 2026-03-19 13:25
Severity ?
8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Summary
Improper Restriction of XML External Entity Reference vulnerability in XMLUtils.java in Slovensko.Digital Autogram allows remote unauthenticated attacker to conduct SSRF (Server Side Request Forgery) attacks and obtain unauthorized access to local files on filesystems running the vulnerable application. Successful exploitation requires the victim to visit a specially crafted website that sends request containing a specially crafted XML document to /sign endpoint of the local HTTP server run by the application.
References
incident@nbu.gov.skhttps://blog.binary.house/2026/03/pripadova-studia-ako-sme-s-claude-code.html
incident@nbu.gov.skhttps://github.com/slovensko-digital/autogram/releases/tag/v2.7.2
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Improper Restriction of XML External Entity Reference vulnerability in XMLUtils.java in Slovensko.Digital Autogram allows remote unauthenticated attacker to conduct SSRF (Server Side Request Forgery) attacks and obtain unauthorized access to local files on filesystems running the vulnerable application. Successful exploitation requires the victim to visit a specially crafted website that sends request containing a specially crafted XML document to /sign endpoint of the local HTTP server run by the application."
    },
    {
      "lang": "es",
      "value": "Vulnerabilidad de Restricci\u00f3n Inadecuada de Referencia a Entidad Externa XML en XMLUtils.java en Slovensko.Digital Autogram permite a un atacante remoto no autenticado realizar ataques SSRF (Server Side Request Forgery) y obtener acceso no autorizado a archivos locales en sistemas de archivos que ejecutan la aplicaci\u00f3n vulnerable. La explotaci\u00f3n exitosa requiere que la v\u00edctima visite un sitio web especialmente dise\u00f1ado que env\u00eda una solicitud que contiene un documento XML especialmente dise\u00f1ado al endpoint /sign del servidor HTTP local ejecutado por la aplicaci\u00f3n."
    }
  ],
  "id": "CVE-2026-3511",
  "lastModified": "2026-03-19T13:25:00.570",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.6,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 4.0,
        "source": "incident@nbu.gov.sk",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-19T12:16:18.647",
  "references": [
    {
      "source": "incident@nbu.gov.sk",
      "url": "https://blog.binary.house/2026/03/pripadova-studia-ako-sme-s-claude-code.html"
    },
    {
      "source": "incident@nbu.gov.sk",
      "url": "https://github.com/slovensko-digital/autogram/releases/tag/v2.7.2"
    }
  ],
  "sourceIdentifier": "incident@nbu.gov.sk",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-611"
        }
      ],
      "source": "incident@nbu.gov.sk",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.