XPath Injection in Apache Hertzbeat
CVE-2025-24404
XML Injection RCE by parse http sitemap xml response vulnerability in Apache HertzBeat. The attacker needs to have an authenticated account with access, and add monitor parsed by xml, returned special content can trigger the XM…
EPSS: 0.005 (38.2th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 8.8 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.
Affected products
Weakness classification (CWE)
References
- security@apache.org (vendor-advisory, Mailing List, Vendor Advisory)
- af854a3a-2127-422b-91ae-364da2661108
Frequently asked questions
- What is CVE-2025-24404?
- CVE-2025-24404 is a high-severity vulnerability in Apache Hertzbeat, classified under XML Injection (Blind XPath Injection). CVSS score: 8.8/10. Published 2025-09-09.
- How severe is CVE-2025-24404?
- High severity. CVSS v3 base score is 8.8 out of 10.