CVE-2018-14485

CRITICAL

BlogEngine.NET 3.3 - XML External Entity (XXE)

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-14485. PoCs published by Netsparker.

AI-analyzed exploit summary This is an advisory detailing an XML External Entity (XXE) Injection vulnerability in BlogEngine 3.3. The vulnerability allows an attacker to read arbitrary files from the server via a crafted POST request to the metaweblog.axd endpoint.

Description

BlogEngine.NET 3.3 allows XXE attacks via the POST body to metaweblog.axd.

Exploits (1)

exploitdb WRITEUP

by Netsparker · textwebappswindows

https://www.exploit-db.com/exploits/46106

View Code ZIP pw:eip

This is an advisory detailing an XML External Entity (XXE) Injection vulnerability in BlogEngine 3.3. The vulnerability allows an attacker to read arbitrary files from the server via a crafted POST request to the metaweblog.axd endpoint.

Classification

Writeup 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: BlogEngine 3.3

No auth needed

Prerequisites: Access to the target's metaweblog.axd endpoint

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/151063/BlogEngine-3.3-XML-External-Entity-Injection.html

Third Party Advisory, VDB Entry x_refsource_misc

https://www.exploit-db.com/exploits/46106/

Third Party Advisory x_refsource_misc

https://github.com/rxtur/BlogEngine.NET/commits/master

Scores

CVSS v3 9.8

EPSS 0.1629

EPSS Percentile 96.5%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-611

Status published

Products (1)

blogengine/blogengine.net 3.3

Published May 07, 2019

Tracked Since Feb 18, 2026