8.5
CVE-2026-12975
- EPSS 0.23%
- Veröffentlicht 25.06.2026 21:12:31
- Zuletzt bearbeitet 06.07.2026 18:12:40
- Quelle secalert@redhat.com
- CVE-Watchlists
- Unerledigt
Apicurio/apicurio-registry: apicurio-registry: unhardened saxparser in content-type detection leads to blind xxe / ssrf / billion-laughs dos
A flaw was found in Apicurio Registry. The ContentTypeUtil.isParsableXml() method creates a SAXParserFactory without enabling secure processing features or disabling external entity resolution. An attacker with artifact-write permission (or unauthenticated when the registry runs with default configuration) can upload a crafted XML document to trigger blind server-side request forgery (SSRF) via external DTD/entity fetch, or cause denial of service via entity expansion.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Redhat ≫ Build Of Apicurio Registry Version >= 3.0 <= 3.2
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.23% | 0.142 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| secalert@redhat.com | 8.5 | 3.1 | 4.7 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:H
|
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | 8.5 | 3.1 | 4.7 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:H
|
CWE-611 Improper Restriction of XML External Entity Reference
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
https://access.redhat.com/security/cve/CVE-2026-12975
https://bugzilla.redhat.com/show_bug.cgi?id=2491688
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-12975.json