CVE-2019-10266

HIGH

Ahsay Cloud Backup Suite 7.7.0.0-8.1.1.50 - Unauthenticated XML External Entity Injection

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-10266. PoCs published by Wietse Boonstra.

AI-analyzed exploit summary This exploit demonstrates an unauthenticated XML External Entity (XXE) vulnerability in Ahsay Backup versions 7.x to 8.1.0.50. It allows an attacker to read arbitrary files or interact with internal hosts via an out-of-band (OOB) XXE attack.

Description

An issue was discovered in Ahsay Cloud Backup Suite before 8.1.1.50. When sending an out-of-bounds XML document to a URL, it is possible to read the file structure and even the content of files without authentication.

Exploits (1)

exploitdb WORKING POC

by Wietse Boonstra · textwebappsjsp

https://www.exploit-db.com/exploits/47181

View Code ZIP pw:eip

This exploit demonstrates an unauthenticated XML External Entity (XXE) vulnerability in Ahsay Backup versions 7.x to 8.1.0.50. It allows an attacker to read arbitrary files or interact with internal hosts via an out-of-band (OOB) XXE attack.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Ahsay Backup v7.x - v8.1.0.50

No auth needed

Prerequisites: Network access to the target server · Ability to host a malicious DTD file on an attacker-controlled server

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Third Party Advisory x_refsource_misc

https://www.wbsec.nl/ahsay/

Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/153772/Ahsay-Backup-7.x-8.x-XML-Injection.html

Scores

CVSS v3 7.5

EPSS 0.1330

EPSS Percentile 95.9%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-611

Status published

Products (1)

ahsay/cloud_backup_suite 7.7.0.0 - 8.1.1.50

Published Jul 26, 2019

Tracked Since Feb 18, 2026