CVE-2020-26217

HIGH NUCLEI

XStream < 1.4.14 - Remote Code Execution via Blocklist Bypass

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 9 public exploits for CVE-2020-26217. PoCs published by JAckLosingHeart, novysodope, Al1ex. A Nuclei detection template is also available.

AI-analyzed exploit summary This PoC demonstrates a deserialization vulnerability in XStream (CVE-2020-26217) by loading a malicious XML file. The code initializes XStream and deserializes the XML input, which can lead to arbitrary code execution if the XML contains malicious payloads.

Description

XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.

Exploits (9)

github WORKING POC 5 stars
by JAckLosingHeart · javapoc
https://github.com/JAckLosingHeart/CVE-PoC-Collection/tree/main/xstream-CVE-2020-26217

This PoC demonstrates a deserialization vulnerability in XStream (CVE-2020-26217) by loading a malicious XML file. The code initializes XStream and deserializes the XML input, which can lead to arbitrary code execution if the XML contains malicious payloads.

Classification
Working Poc 90%
Attack Type
Deserialization
Complexity
Trivial
Reliability
Reliable
Target: XStream (versions before 1.4.15)
No auth needed
Prerequisites: Malicious XML file (CVE-2020-26217.xml) must be present in the working directory
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC 4 stars
by novysodope · poc
https://github.com/novysodope/CVE-2020-26217-XStream-RCE-POC

This is a working proof-of-concept exploit for CVE-2020-26217, demonstrating remote code execution via XStream deserialization. The payload triggers arbitrary command execution (e.g., 'calc') through a crafted XML input.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: XStream (versions affected by CVE-2020-26217)
No auth needed
Prerequisites: Target application using vulnerable XStream version · Ability to send crafted XML payload to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 3 stars
by Al1ex · poc
https://github.com/Al1ex/CVE-2020-26217

This repository contains a functional proof-of-concept exploit for CVE-2020-26217, demonstrating remote code execution via XStream deserialization. The exploit constructs a malicious XML payload that triggers arbitrary command execution (e.g., launching calc.exe) when deserialized by vulnerable XStream versions.

Classification
Working Poc 100%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: XStream <= 1.4.13
No auth needed
Prerequisites: Vulnerable XStream version (<= 1.4.13) · Ability to send malicious XML payload to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 2 stars
by Kairo-one · poc
https://github.com/Kairo-one/CVE-2020-26217-XStream

This repository contains a functional Go-based exploit for CVE-2020-26217, a deserialization vulnerability in XStream. The PoC constructs a malicious XML payload to achieve remote code execution via a crafted HTTP request.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: XStream <= 1.4.13
No auth needed
Prerequisites: Target application using vulnerable XStream version · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec STUB
by dawetmaster · poc
https://github.com/dawetmaster/CVE-2020-26217-xstream-vulnerable

This repository appears to be a fork or snapshot of the XStream project but lacks any exploit code or technical analysis related to CVE-2020-26217. The files provided are part of the XStream benchmarking tool and do not demonstrate the vulnerability.

Classification
Stub 90%
Attack Type
Deserialization
Complexity
Theoretical
Reliability
Theoretical
Target: XStream (version not specified)
No auth needed
Prerequisites: None identified
devstral-2 · analyzed Mar 14, 2026 Full analysis →
nomisec STUB
by andikahilmy · poc
https://github.com/andikahilmy/CVE-2020-26217-xstream-vulnerable

The repository contains benchmarking code for XStream but lacks any exploit code or technical details related to CVE-2020-26217. It appears to be a fork or snapshot of the XStream project without vulnerability-specific content.

Classification
Stub 90%
Attack Type
Deserialization
Complexity
Theoretical
Reliability
Theoretical
Target: XStream (version not specified)
No auth needed
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by shoucheng3 · poc
https://github.com/shoucheng3/x-stream__xstream_CVE-2020-26217_1-4-14-java77

This repository contains a proof-of-concept for CVE-2020-26217, a deserialization vulnerability in XStream. The code includes builder utilities and configurations for XStream, which can be used to exploit unsafe deserialization.

Classification
Working Poc 90%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: XStream 1.4.14 and earlier
No auth needed
Prerequisites: Access to an application using vulnerable XStream version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec STUB
by cuijiung · poc
https://github.com/cuijiung/xstream-CVE-2020-26217

This repository contains a minimal Java stub for CVE-2020-26217, an XStream deserialization vulnerability. It lacks exploit payloads or detailed PoC logic, only demonstrating basic XML deserialization.

Classification
Stub 80%
Attack Type
Deserialization
Complexity
Trivial
Reliability
Theoretical
Target: XStream (versions before 1.4.15)
No auth needed
Prerequisites: XStream library in classpath · Malicious XML file (CVE-2020-26217.xml)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec STUB
by epicosy · poc
https://github.com/epicosy/XStream-1

This repository contains benchmarking code for XStream, a Java XML serialization library. It does not include exploit code for CVE-2020-26217, which is a deserialization vulnerability in XStream.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: XStream
No auth needed
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

XStream <1.4.14 - Remote Code Execution
HIGHby pwnhxl,vicrack

References (15)

Core 15
Core References
Mitigation, Third Party Advisory x_refsource_confirm
https://github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c-q4q2
Exploit, Mitigation, Vendor Advisory x_refsource_confirm
https://x-stream.github.io/CVE-2020-26217.html
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2020/12/msg00001.html
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2020/dsa-4811
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuApr2021.html
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20210409-0004/
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com//security-alerts/cpujul2021.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuoct2021.html
Not Applicable, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujan2022.html
Not Applicable, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuapr2022.html

Scores

CVSS v3 8.0
EPSS 0.8500
EPSS Percentile 99.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

Details

CWE
CWE-78
Status published
Products (37)
apache/activemq 5.16.0
apache/activemq < 5.15.14
com.thoughtworks.xstream/xstream 0 - 1.4.14-java7Maven
debian/debian_linux 9.0
debian/debian_linux 10.0
netapp/snapmanager (2 CPE variants)
oracle/banking_cash_management 14.2
oracle/banking_cash_management 14.3
oracle/banking_cash_management 14.5
oracle/banking_corporate_lending_process_management 14.2
... and 27 more
Published Nov 16, 2020
Tracked Since Feb 18, 2026