What is CVE-2026-24515?

CVE-2026-24515 is a low-severity vulnerability in Libexpat Project, classified under NULL Pointer Dereference. CVSS score: 2.9/10. Published 2026-01-23.

How severe is CVE-2026-24515?

Low severity. CVSS v3 base score is 2.9 out of 10.

NULL pointer dereference in Libexpat Project

CVE-2026-24515

In libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copy unknown encoding handler user data.

EPSS: 0.000 (0.6th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 2.9 (Low). Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L.

Affected products

Libexpat Project — versions 0
Libexpat_project Libexpat

Weakness classification (CWE)

CWE-476 — NULL Pointer Dereference

References

cve@mitre.org (Issue Tracking)
0b142b55-0307-4c5a-b3c9-f314f3fb7c5e

Frequently asked questions

What is CVE-2026-24515?: CVE-2026-24515 is a low-severity vulnerability in Libexpat Project, classified under NULL Pointer Dereference. CVSS score: 2.9/10. Published 2026-01-23.
How severe is CVE-2026-24515?: Low severity. CVSS v3 base score is 2.9 out of 10.