CVE-2017-17762

HIGH EXPLOITED NUCLEI

Episerver 7 - Blind XML External Entity Injection

Title source: nuclei

Description

XML external entity (XXE) vulnerability in Episerver 7 patch 4 and earlier allows remote attackers to read arbitrary files via a crafted DTD in an XML request involving util/xmlrpc/Handler.ashx.

Nuclei Templates (1)

Episerver 7 - Blind XML External Entity Injection

HIGHVERIFIEDby pussycat0x

Shodan: http.html:"episerver" || cpe:"cpe:2.3:a:episerver:episerver" || http.html:"epihash"

FOFA: body="episerver" || body="epihash"

References (2)

[Exploit, Third Party Advisory] https://gist.github.com/jonaslejon/5f92779848360a1a1e676af0795bd9aa

[Exploit, Mitigation, Third Party Advisory] https://kryptera.se/sarbarhet-i-episerver/

Scores

CVSS v3 7.5

EPSS 0.0179

EPSS Percentile 82.8%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

VulnCheck KEV 2026-01-14

CWE

CWE-611

Status published

Products (2)

episerver/episerver 7 (5 CPE variants)

episerver/episerver < 7

Published Aug 29, 2018

Tracked Since Feb 18, 2026