XPath Injection in Apache Hertzbeat

CVE-2025-24404

XML Injection RCE by parse http sitemap xml response vulnerability in Apache HertzBeat. The attacker needs to have an authenticated account with access, and add monitor parsed by xml, returned special content can trigger the XM…

EPSS: 0.005 (38.2th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.8 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

Affected products

Weakness classification (CWE)

References

Frequently asked questions

What is CVE-2025-24404?
CVE-2025-24404 is a high-severity vulnerability in Apache Hertzbeat, classified under XML Injection (Blind XPath Injection). CVSS score: 8.8/10. Published 2025-09-09.
How severe is CVE-2025-24404?
High severity. CVSS v3 base score is 8.8 out of 10.