What is CVE-2026-34401?

CVE-2026-34401 is a medium-severity vulnerability in Microsoft Xmlnotepad, classified under Improper Restriction of XML External Entity Reference (XXE). CVSS score: 6.5/10. Published 2026-03-31.

How severe is CVE-2026-34401?

Medium severity. CVSS v3 base score is 6.5 out of 10.

XXE in Microsoft Xmlnotepad

CVE-2026-34401

XML Notepad is a Windows program that provides a simple intuitive User Interface for browsing and editing XML documents. Prior to version 2.9.0.21, XML Notepad does not disable DTD processing by default which means external entities are re…

Vulnerability class: XXE (XML External Entity)

EPSS: 0.003 (52.2th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 6.5 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N.

Affected products

Microsoft Xmlnotepad — versions < 2.9.0.21

Weakness classification (CWE)

CWE-611 — Improper Restriction of XML External Entity Reference (XXE)

References

https://github.com/microsoft/XmlNotepad/security/advisories/GHSA-5j32-486h-42ch (x_refsource_CONFIRM)
https://github.com/microsoft/XmlNotepad/commit/3665603d61ba10b7827a3724e854748cb780140c (x_refsource_MISC)
https://github.com/microsoft/XmlNotepad/commit/c03ab2311ac6960452eb1ab49098768f851dcc53 (x_refsource_MISC)
https://github.com/microsoft/XmlNotepad/releases/tag/2.9.0.21 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-34401?: CVE-2026-34401 is a medium-severity vulnerability in Microsoft Xmlnotepad, classified under Improper Restriction of XML External Entity Reference (XXE). CVSS score: 6.5/10. Published 2026-03-31.
How severe is CVE-2026-34401?: Medium severity. CVSS v3 base score is 6.5 out of 10.