What is CVE-2026-28809?

CVE-2026-28809 is a medium-severity vulnerability in Arekinath Esaml, classified under Improper Restriction of XML External Entity Reference (XXE). CVSS score: 5.3/10. Published 2026-03-23.

How severe is CVE-2026-28809?

Medium severity. CVSS v3 base score is 5.3 out of 10.

XXE in Arekinath Esaml

CVE-2026-28809

XML External Entity (XXE) vulnerability in esaml (and its forks) allows an attacker to cause the system to read local files and incorporate their contents into processed SAML documents, and potentially perform SSRF via crafted SAML message…

Vulnerability class: XXE (XML External Entity)

EPSS: 0.001 (15.8th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.3 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N.

Affected products

Arekinath Esaml
Dropbox Esaml
Handnot2 Esaml
Jump-app Esaml — versions 0, bab85efde7c136911402a881ca55173759467a26

Weakness classification (CWE)

CWE-611 — Improper Restriction of XML External Entity Reference (XXE)

References

6b3ad84c-e1a6-4bf7-a703-f496b71e49db (related, Patch, Third Party Advisory, third-party-advisory)
6b3ad84c-e1a6-4bf7-a703-f496b71e49db (related, Third Party Advisory)
6b3ad84c-e1a6-4bf7-a703-f496b71e49db (Patch, patch)

Frequently asked questions

What is CVE-2026-28809?: CVE-2026-28809 is a medium-severity vulnerability in Arekinath Esaml, classified under Improper Restriction of XML External Entity Reference (XXE). CVSS score: 5.3/10. Published 2026-03-23.
How severe is CVE-2026-28809?: Medium severity. CVSS v3 base score is 5.3 out of 10.