XXE in Libxml2
CVE-2024-40896
In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the SAX parser can produce events for external entities even if custom SAX handlers try to override entity content (by setting "checked"). This makes classic XXE at…
Vulnerability class: XXE (XML External Entity)
EPSS: 0.012 (63.3th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 9.1 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H.
Affected products
Weakness classification (CWE)
References
- cve@mitre.org (Issue Tracking)
- cve@mitre.org (Issue Tracking)
- af854a3a-2127-422b-91ae-364da2661108 (Third Party Advisory)
Frequently asked questions
- What is CVE-2024-40896?
- CVE-2024-40896 is a critical-severity vulnerability in Libxml2, classified under Improper Restriction of XML External Entity Reference (XXE). CVSS score: 9.1/10. Published 2024-12-23.
- How severe is CVE-2024-40896?
- Critical severity. CVSS v3 base score is 9.1 out of 10.