CVE-2019-14678

CRITICAL

SAS XML Mapper 9.45 - XML External Entity Injection

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-14678. PoCs published by mbadanoiu.

AI-analyzed exploit summary The repository lacks actual exploit code and instead points to external resources (PDF, vendor disclosure) for details. The README provides no technical depth or PoC code, only generic descriptions of XXE attack vectors.

Description

SAS XML Mapper 9.45 has an XML External Entity (XXE) vulnerability that can be leveraged by malicious attackers in multiple ways. Examples are Local File Reading, Out Of Band File Exfiltration, Server Side Request Forgery, and/or Potential Denial of Service attacks. This vulnerability also affects the XMLV2 LIBNAME engine when the AUTOMAP option is used.

Exploits (1)

nomisec SUSPICIOUS

by mbadanoiu · poc

https://github.com/mbadanoiu/CVE-2019-14678

View Code ZIP pw:eip

The repository lacks actual exploit code and instead points to external resources (PDF, vendor disclosure) for details. The README provides no technical depth or PoC code, only generic descriptions of XXE attack vectors.

Classification

Suspicious 90%

Attack Type

Info Leak

Complexity

Theoretical

Reliability

Theoretical

Target: SAS XML Mapper 9.45

No auth needed

Prerequisites: Access to SAS XML Mapper with vulnerable configuration

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Third Party Advisory x_refsource_misc

https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-14678-Unsafe%20XML%20Parsing-SAS%20XML%20Mapper

Vendor Advisory x_refsource_misc

http://support.sas.com/kb/64/719.html

Scores

CVSS v3 10.0

EPSS 0.0295

EPSS Percentile 85.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Details

CWE

CWE-611

Status published

Products (2)

sas/base_sas 9.4 ts1m6

sas/xml_mapper 9.45

Published Nov 14, 2019

Tracked Since Feb 18, 2026