CVE-2019-1010268

CRITICAL

Ladon 0.6.1-0.9.39 - XML External Entity Injection in SOAP Request Handlers

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2019-1010268. PoCs published by RedTeam Pentesting, Tonyynot14.

AI-analyzed exploit summary This exploit demonstrates an XML External Entity (XXE) vulnerability in the Ladon Webservice framework, allowing attackers to read local files, perform SSRF, or cause DoS via crafted SOAP messages.

Description

Ladon since 0.6.1 (since ebef0aae48af78c159b6fce81bc6f5e7e0ddb059) is affected by: XML External Entity (XXE). The impact is: Information Disclosure, reading files and reaching internal network endpoints. The component is: SOAP request handlers. For instance: https://bitbucket.org/jakobsg/ladon/src/42944fc012a3a48214791c120ee5619434505067/src/ladon/interfaces/soap.py#lines-688. The attack vector is: Send a specially crafted SOAP call.

Exploits (2)

exploitdb WORKING POC

by RedTeam Pentesting · textwebappsxml

https://www.exploit-db.com/exploits/43113

View Code ZIP pw:eip

This exploit demonstrates an XML External Entity (XXE) vulnerability in the Ladon Webservice framework, allowing attackers to read local files, perform SSRF, or cause DoS via crafted SOAP messages.

Classification

Working Poc 100%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Ladon Framework for Python (0.9.40 and previous)

No auth needed

Prerequisites: Network access to the Ladon webservice · Ability to send crafted SOAP messages

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1213 - Data from Information Repositories

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by Tonyynot14 · poc

https://github.com/Tonyynot14/CVE-2019-1010268

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2019-1010268, which targets an XXE (XML External Entity) vulnerability in the Ladon Framework for Python 0.9.40. The exploit crafts a malicious SOAP request to read arbitrary files from the target system.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Ladon Framework for Python 0.9.40

No auth needed

Prerequisites: Target system running Ladon Framework 0.9.40 with SOAP endpoint exposed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1005 - Data from Local System

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

https://www.exploit-db.com/exploits/43113

Patch, Third Party Advisory x_refsource_misc

https://bitbucket.org/jakobsg/ladon/src/42944fc012a3a48214791c120ee5619434505067/src/ladon/interfaces/soap.py#lines-688

Scores

CVSS v3 9.8

EPSS 0.0571

EPSS Percentile 92.0%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-611

Status published

Products (2)

ladon_project/ladon 0.6.1 - 0.9.40

pypi/ladon 0.6.1PyPI

Published Jul 18, 2019

Tracked Since Feb 18, 2026