The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks. Affects XMLBeans up to and including v2.6.0.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:HApache Xmlbeans
APPApache≤ 2.6.0Debian
OSDebian9.0Netapp Oncommand Unified Manager Core Package
APPNetappwszystkie wersjeNetapp Snap Creator Framework
APPNetappwszystkie wersjeNetapp Snapmanager
APPNetappwszystkie wersjeOracle Middleware Common Libraries And Tools
APPOracle12.2.1.3.012.2.1.4.0Oracle Peoplesoft Enterprise Peopletools
APPOracle8.578.588.59
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References
Related vulnerabilities
CVE-2026-35273CRITICAL9.8⚠ KEVPL ✓ten sam produkt
Pominięcie uwierzytelnienia w Oracle PeopleSoft PeopleTools (RCE/Takeover)
CVE-2026-24061CRITICAL9.8⚠ KEVPL ✓ten sam produkt
GNU Inetutils telnetd: ominięcie uwierzytelnienia przez zmienną USER
CVE-2025-32463CRITICAL9.3⚠ KEVPL ✓ten sam produkt
Sudo: eskalacja uprawnień do root poprzez opcję --chroot (CVE-2025-32463)
CVE-2025-49113CRITICAL9.9⚠ KEVPL ✓ten sam produkt
RCE przez deserializację PHP w Roundcube Webmail (parametr _from)
CVE-2025-32433CRITICAL10.0⚠ KEVPL ✓ten sam produkt
Erlang/OTP SSH — nieuwierzytelniony RCE (CVSS 10.0)