CVE-2016-8526

HIGH

Aruba Airwave < 8.2.3.1 - XML External Entity Injection

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-8526. PoCs published by SEC Consult.

AI-analyzed exploit summary This is a detailed security advisory describing XML External Entity Injection (XXE) and Reflected Cross-Site Scripting (XSS) vulnerabilities in Aruba AirWave. It includes proof-of-concept examples for exploiting these vulnerabilities.

Description

Aruba Airwave all versions up to, but not including, 8.2.3.1 is vulnerable to an XML external entities (XXE). XXEs are a way to permit XML parsers to access storage that exist on external systems. If an unprivileged user is permitted to control the contents of XML files, XXE can be used as an attack vector. Because the XML parser has access to the local filesystem and runs with the permissions of the web server, it can access any file that is readable by the web server and copy it to an external system of the attacker's choosing. This could include files that contain passwords, which could then lead to privilege escalation.

Exploits (1)

exploitdb WRITEUP VERIFIED

by SEC Consult · textwebappsxml

https://www.exploit-db.com/exploits/41482

View Code ZIP pw:eip

This is a detailed security advisory describing XML External Entity Injection (XXE) and Reflected Cross-Site Scripting (XSS) vulnerabilities in Aruba AirWave. It includes proof-of-concept examples for exploiting these vulnerabilities.

Classification

Writeup 100%

Attack Type

Info Leak | Xss

Complexity

Moderate

Reliability

Reliable

Target: Aruba AirWave <=8.2.3

Auth required

Prerequisites: Access to the Aruba AirWave application · Low-privileged user account

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/96495

Vendor Advisory x_refsource_confirm

http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-001.txt

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/41482/

Scores

CVSS v3 8.8

EPSS 0.0982

EPSS Percentile 94.9%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-611

Status published

Products (1)

hp/airwave < 8.2.3.1

Published Aug 06, 2018

Tracked Since Feb 18, 2026