CVE-2017-9096

HIGH

iText < 5.5.12 and 7.x < 7.0.3 - XML External Entity Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-9096. PoCs published by jakabakos.

AI-analyzed exploit summary This repository contains a proof-of-concept for CVE-2017-9096, an XXE vulnerability in iText PDF library. It includes a malicious PDF with embedded XXE payloads and a Java program to trigger the vulnerability.

Description

The XML parsers in iText before 5.5.12 and 7.x before 7.0.3 do not disable external entities, which might allow remote attackers to conduct XML external entity (XXE) attacks via a crafted PDF.

Exploits (1)

nomisec WORKING POC 13 stars
by jakabakos · poc
https://github.com/jakabakos/CVE-2017-9096-iText-XXE

This repository contains a proof-of-concept for CVE-2017-9096, an XXE vulnerability in iText PDF library. It includes a malicious PDF with embedded XXE payloads and a Java program to trigger the vulnerability.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: iText PDF library
No auth needed
Prerequisites: A PDF file with embedded XXE payloads · iText PDF library to process the PDF
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 8.8
EPSS 0.0764
EPSS Percentile 92.1%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-611
Status published
Products (6)
com.itextpdf/itextpdf 0 - 5.5.12Maven
com.lowagie/itext 0Maven
itextpdf/itext 7.0.0
itextpdf/itext 7.0.1
itextpdf/itext 7.0.2
itextpdf/itext < 5.5.12
Published Nov 08, 2017
Tracked Since Feb 18, 2026